On Tue, Jul 17, 2012 at 7:42 PM, Gavin Henry <[email protected]> wrote: > > What lives under ou=CompanyA etc? User accounts? Something we do for > this to keep the DIT level shallow, is to keep all user accounts in > ou=Users and filter based on o=CompanyA which is an attribute on that > user entry. Then you can use slapo-dynlist to create company groups > etc. >
Each backend (or 1 if I keep everything together on the master) has indeed an ou=People (or Users, doesn't matters) with PosixAccount and an ou=groups (using rfc2307bis to combine posixGroup and groupOfNames) Indeed, I want the DIT level to be kept shallow. Maybe I can try something with slapo-dynlist, as I will use the overlay to create dynamic groups with memberURL anyway. > Not sure what ACLs you've got or the overall function of your > directory server to advise a new DIT. For the moment I have no special ACL's. OT: In the end, my goal is to provide an integrated directory service, for three affiliated companies. Primary goal for Linux authentication/authorization, puppet node configs, netgroups, sudo and ssh.... Secondary goal app data or users. Not easy if you want the directory to be perfect ;-) Thx a lot for the very useful responses!
