RE: uid's associated with a particular orgranizational unit

[Chris R. <chr...@me...>]

"Lambright, Linda (N-Averstar)" <lin...@lm...> wrote:
> Do you know where I can get a really good explaination of organizational
> units and how they work.

Organizational units are simply entries in the directory with an object
class of "organizationalUnit" and usually named with the "ou" attribute
(aka "organizationalUnitName".)

These entries are normally used to represent departments in an
organization, and the reason they don't have an object class of
"department" is because the standards authors had to consider that
"department" has different connotations in some countries (like France),
and so opted for the somewhat hideous term "organizationalUnit". Sorry,
getting sidetracked there!

There are no real special kinds of entry in the directory. So
organizationalUnits work exactly the same way that, say domain entries
work, or locality entries work.

Some vendors cause problems (IMO) by calling organizationalUnits
"containers". This is misleading because the "has a" (ie "contains")
relationship in LDAP can mean either using an attribute of an entry (an
employee "has a" surname and telephone number and a manager), or that the
relationship is hierarchical, ie part of the structure of the directory
tree (a department has employees)

> I'm trying to write a set of scripts that will allow certain users
> administrator rights over their own groups 
> but not over anyone else's groups.  In order to do this I have created a
> set of organizational units each with groups and
> subgroups inside of them.  All users are then created in the People
> organizational unit and added as members to one or more groups inside
> other organizational units.  I need to be able to list the users in each
> organizational unit and whether they are in 
> an admin group in that unit.  Then we give those admins rights to move
> users from group to group or to remove the user 
> from their group or from their organizational unit without actually
> removing the person from the directory server
> or from other groups or other organizational units.  These administrators
> also need to be able to make and remove groups in
> their organizational unit and add users to the directory server if the
> user does not already exist.  The problems that we
> have run into are all with perl-ldap giving us information on
> organizational units and groups.  Probably because we don't
> know how to ask correctly.

In your case, your organizationalUnits "have" people in the hierarchical
sense, eg:

         o=My Company
              |
         +----------+
         |          |
     ou=People     ...
         |
    +----+----+
    |    |    |
 cn=Jim ... cn=Ann

However group entries (groupOfNames objectclass) represent the "has a"
relationship using the member attribute.

Once you understand those two relationships, your script should be easier
to work out.

To find the people in the ou, search the ou subtree for the person entries,
like Mark suggested. You want to retrieve the "uid" attribute from each of
those entries.

To find the people in the group, read the member attribute from the group
entry. The attribute values will be distinguished names (DNs) of other
entries in the directory. Possibly the entries you read above!


> Thank you for your help
> 
> Linda
> 
>> ----------
>> From: 	Mark Wilcox[SMTP:mew...@un...]
>> Sent: 	Wednesday, December 13, 2000 6:15 PM
>> To: 	Lambright, Linda (N-Averstar)
>> Cc: 	per...@li...
>> Subject: 	Re: uid's associated with a particular orgranizational unit
>> 
>> sounds like you've set your scope incorrectly.
>> $mesg =
>>              $ldap->search(
>>                                     base=> "ou=people,dc=acme,dc=com",
>>                                      scope => "sub",
>>                                      filter => "objectclass=person"
>>                                     );
>> should do it.
>> 
>> Note that unless you've got a very small number of people, you'll need to
>> either
>> be binded as the directory super-user account or use a virtual list view
>> to see
>> all of them.
>> 
>> Mark
>> 
>> "Lambright, Linda (N-Averstar)" wrote:
>> 
>> > I have created several users in the People organizational unit.  I am
>> trying
>> > to find out how to get a list of all of those uid's.  However if I ask
>> for
>> > ou=People all I get is the entry for the ou People.  Can anyone help me
>> with
>> > this?  Even when I use the server console to do the search it comes up
>> with
>> > no entries.  However the ldif file clearly shows all of the users with
>> > ou=People.  I guess I don't clealy understand the concept of the
>> > organizational unit object.
>> > 
>> > Linda Lambright
>> 



Cheers,

Chris