Re: uid's associated with a particular orgranizational unit

[Mark W. <mew...@un...>]

I think the problem is that you're trying to treat LDAP as an RDBMS.

An OrganizationalUnit can be an entry (ie an entry of objectclass type
OrganizationalUnit) and an attribute (the ou attribute, available in the person
objectclass).

The organizationUnit objectclass is generally used to provide branches in your
tree. You should attempt to keep this as flat as possible to make it easier to
manage:

  ie
         dc=unt,dc=edu
ou=people              ou=groups

Then if you want to use the organizationalUnit attribute to represent
departments people belong to, you simply put the correct values in each person's
ou attribute.

Now, the only other hierarchy you might do that uses OrganizationalUnit, the
objectclass, is to build an organizational white pages directory.

For example if you want to keep the name of each unit, their manager,
administrative assistant and contact information, you might decide to create a
new branch (ou=departments) that contains this information (though you'll need
to extend the schema so that you can add the necessary attributes to store this
information).

Groups.
If you are trying to use people's departments (ie the value of the ou attribute)
for access control you have 3 options.
1) you can simply define an application level policy that says to check the
user's ou attribute to determine their role
2) you can create a group for each department or committee or team or whatever
and populate it. Then see if a user's DN is found in the membership attribute of
the group
3)If you're using Netscape's directory server you can create a dynamic group(s),
who's membership is determined by the value of a particular attribute. Then see
if the user's would satisfy the search query.

I use all 3.
1 -- for mass groupings (ie , only students can see this site, or only faculty).

2 -- only Vice Presidents can send out a bulk-email message to all students
3 -- I use dynamic groups to maintain course rosters (because they change a lot
and some of them are quite large -- several hundred, it makes maintainence
easier because the membership changes when we update the student's entry)

BTW I have an article on groups and Net::LDAP at www.webtechniques.com. Search
for wilcox or LDAP and it will turn up.


Mark





"Lambright, Linda (N-Averstar)" wrote:

> Do you know where I can get a really good explaination of organizational
> units and how they work.
> I'm trying to write a set of scripts that will allow certain users
> administrator rights over their own groups
> but not over anyone else's groups.  In order to do this I have created a set
> of organizational units each with groups and
> subgroups inside of them.  All users are then created in the People
> organizational unit and added as members to one or more groups inside other
> organizational units.  I need to be able to list the users in each
> organizational unit and whether they are in
> an admin group in that unit.  Then we give those admins rights to move users
> from group to group or to remove the user
> from their group or from their organizational unit without actually removing
> the person from the directory server
> or from other groups or other organizational units.  These administrators
> also need to be able to make and remove groups in
> their organizational unit and add users to the directory server if the user
> does not already exist.  The problems that we
> have run into are all with perl-ldap giving us information on organizational
> units and groups.  Probably because we don't
> know how to ask correctly.
>
> Thank you for your help
>
> Linda
>
> > ----------
> > From:         Mark Wilcox[SMTP:mew...@un...]
> > Sent:         Wednesday, December 13, 2000 6:15 PM
> > To:   Lambright, Linda (N-Averstar)
> > Cc:   per...@li...
> > Subject:      Re: uid's associated with a particular orgranizational unit
> >
> > sounds like you've set your scope incorrectly.
> > $mesg =
> >              $ldap->search(
> >                                     base=> "ou=people,dc=acme,dc=com",
> >                                      scope => "sub",
> >                                      filter => "objectclass=person"
> >                                     );
> > should do it.
> >
> > Note that unless you've got a very small number of people, you'll need to
> > either
> > be binded as the directory super-user account or use a virtual list view
> > to see
> > all of them.
> >
> > Mark
> >
> > "Lambright, Linda (N-Averstar)" wrote:
> >
> > > I have created several users in the People organizational unit.  I am
> > trying
> > > to find out how to get a list of all of those uid's.  However if I ask
> > for
> > > ou=People all I get is the entry for the ou People.  Can anyone help me
> > with
> > > this?  Even when I use the server console to do the search it comes up
> > with
> > > no entries.  However the ldif file clearly shows all of the users with
> > > ou=People.  I guess I don't clealy understand the concept of the
> > > organizational unit object.
> > >
> > > Linda Lambright
> >