CODEWITHSUNDEEP
ldap
blamblambunny
blamblambunny

Reputation: 755

New to LDAP schema design

I'm new to LDAP but have a project that requires it*. I'm looking for suggestions on how to organize the database.

There are three components: users, sites and studies. A user belongs to one site and one study; a site can have multiple studies. A site can also have multiple domains (not just DN entries; they might have site1.org, site2.com, and so on.) Finally, some piece of identifying site and study information is being used in another database -- I can't use the name of the site or study but a UID of some sort would work fine.

My initial stab at this has users, sites and study information in three OUs; each entry has a UID guaranteed to be unique for that entity. Each user entry has a site and a study attribute but their distinguished name is "uid=[username],ou=users". Similarly, the site and studies have DNs "uid=[uidvalue],ou=[site|study]"

I have two questions: 1. Does the above schema make sense? I'm only a little ways along now and would like to make sure I'm on the right path before going too far. 2. How do I represent multiple domains for the site? It seems like multiple DN attributes would just be confusing, especially since they're simply attributes and not part of the distinguished name.

Thanks for your help!

-j

(*) Because various services on which the system relies use LDAP for authentication -- and, besides, it seems to make architectural sense anyway

Upvotes: 1

Views: 354

Answers (1)

user207421
user207421

Reputation: 310860

I strongly recommend you use existing schemata. For example:

  • inetOrgPerson for people
  • organization or organizationalUnit for sites
  • domain for domains
  • not sure what is appropriate for study, possibly documentSeries or document.

To answer your questions:

  1. Does the above schema make sense?

Yes. You should beware the tendency to use the hierarchy to represent possibly temporary organization of the objects in the tree. You should use attributes for that, as you are.

  1. How do I represent multiple domains for the site? It seems like multiple DN attributes would just be confusing, especially since they're simply attributes and not part of the distinguished name.

I don't see that. Multiple DN entries are OK, or multiple domain sub-objects. If a site has multiple domains it isn't appropriate for domain to be part of the DN.

Upvotes: 2

Related Questions