LDAP is giving me a headache (schema drawing)

[Bikerepairmann]

I planning to use a directory server (the new redhat directory server) on my network for authenticating on the web-, mail- and fileserver.
the webserver also serves homedirectories.

when reading the docs, I see there are two possibillities of setting up the tree. (both are possible, both are plausible). (dn= dc=, dc= OR dn= o=, c=)

Then ... I don't know. I can use users, companies and powerusers for the next level and use web, mail, fileserv, homespace as group or the other way around....
who can give me more advice about this? (about 75 users)


DN= DC=example, DC=nl or DN= O=example, C=nl
OU=web ou=mail ou=fileserv ou=homespace or ou=users ou=comanies ou=powerusers

[scientica]

for my machine I've used "dc=zeus" as by BASE_DN. My understanding is that you can have what ever you like, by I'd recomend just "dc=server_name" unless you got a domain, then you should have "dc=sld,dc=tld" if your domain is "sld.tld".

[Bikerepairmann]

We have multiple domains, allthough ony one is used for this network. So our base_dn = dc=example,dc=nl
we have a few groups and have a few services.
should we place the groups on the next level or the services?

[scientica]

Well, it seems (unless I've missunderstood you) you're basically choosing way of organizing them, either by their "group" or by their "service"(their access to the services).

I'm thinking, which would be giving the lesser head ace, ie, which is easiest to handle, now and in the future with many times the people and services/groups.
I think I'd ask myself these questions: (no specific order)

• How many people belong to multiple groups/services?
• Are the services "subordinates" of groups? (or are the groups sorted under a service? (eg group A deals with the code behind the web, and group B deals with it's design/graphics on the web and some other service -- or does every one under the service "web" do all the web related stuff (possibly with subgroups under them, but the design part of them are "restricted to the web" service, and not doing work for other services)))
• Which service "feels" best - that is, which is the one that you for some reason direcly feel like, "hmm, just ouf the blue I felt ist made most sence to do it in groups as it's more 'sane'/'effectuve' to have it sorted in groups as the design team is working in both service A and B -- or it's easier to handle permissions with peeople sorted under services, ie, when Johnny A designs something for the web he'll log on with his web context/DN and inherit the web services rights"
• Would a hybrid be possible? Can groups and services co-exist? (eg, one could have a "Design" group which does all deisgn, and a "Web" service/"group" where all web-specific stuff go - one could imagine setting things up so that the design only get access to a design sub-section of the web-stuff, while every one in web inherits access to all of the web-stuff)
• What does the victims think about the organization? (eg, the people doing the work on the floor, what's their reallity, how to they work, how do they think the work effectivly?) -- listening to the users can give good clues to a good setup. The alternative is/could be to make things transparent to them, eg, they just log on and do what they're supposed to do with out any clue as to how things are organized under the hood (might not be possible, I can't think of anything that works 100% transparent, or really always "just works")

... wonder if the above is of any help or just confusing things..

[Bikerepairmann]

I think I got it. please correct me if i'm wrong.

1 webserver/ mysql server, 1 mailserver, 1 fileserver (fileserv1+2), 1 authentication server (and /home/<users>)

fileserver serves 2 directories; 1 for users, 1 for companies

4 users in powerusers
7 users in companies
64 users in users

powerusers have 30MB web(space), 2 mail(boxes 10MB), 100MB homespce, access fileserv1
companies have 100MB web(space), 10 mail(boxes 10MB), 250MB homespace, access fileserv2
users have 20MB web(space), 1 mail(box 10MB), access fileserv1

first level: DN=dc=example,dc=nl

o=web / ou=users ou=companies ou=powerusers
o=mail / ou=users ou=companies ou=powerusers
o=fileserv1 / ou=users ou=powerusers
o=fileserv2 / ou=companies
o=homespace / ou=companies ou=powerusers