--On Tuesday, February 6, 2024 4:27 PM +0000 Norman Gray <[email protected]>
wrote:
Store what department(s) they belong to as attribute in their user entry.
I take the point, and I certainly wouldn't organise things this way if
_I_ were king.
In this case, though, dept1, dept2, and so on, are separate
administrative domains, in both IT terms and real bureaucratic ones, and
this is an attempt to bring some sort of coherence to a bit of historic
anarchy (and yes, there is an ou=staff layer in the middle of the real
trees).
Everyone more-or-less agrees on the names and uidNumbers in dept1, but
there might be a local 'norman' in both dept2 and dept3, or people in
those trees with historically colliding UIDs. The result is that systems
in dept2 will acknowledge users in ou=dept1 and ou=dept2, users in dept3
acknowledge ou=dept1 and dept3 but ignore ou=dept2, and so on. I expect
that names will soon no longer be created in the deptN trees (pretty
please?), in favour of the dept1 tree, and the ou=staff parts of those
will atrophy, but I'll be retired by then.
If there's a different way of approaching that particular problem,
though, right now is the time for me to be rethinking this, so I'm open
to challenge.
Ah, ok I thought you were setting up a new server. Since it was
historically done this way, yeah, best thing is to slowly fix the data
until it can be done correctly. Sounds like it would take an institutional
commitment to resolving the collisions to ever fix this fully.
--Quanah
