Hey Peter and Quanah, On Thu, Mar 8, 2012 at 7:36 PM, Quanah Gibson-Mount <[email protected]>wrote:
> --On Thursday, March 08, 2012 3:07 PM +0100 Peter Schober < > [email protected]> wrote: > > * Quanah Gibson-Mount <[email protected]> [2012-03-07 18:04]: >> >>> > Is anyone doing that? Is it worth the effort? >>> >>> See Stanford University's suRegID >>> >> >> Well, I can see[1] that it's a registry identifier that's unique per >> person and that accounts refer to it via the owner attribute. >> I did not however find how DNS (and most-specific RDNs) are >> constructed, but take your above answer to mean that Standford creates >> DNs as suRegID=$whatever,cn=accounts,**$BASEDN >> OK, thanks, >> -peter >> > > It creates: > > suregid=<whatever>,cn=people,**dc=stanford,dc=edu > > For people. > > For accounts, it uses uid > > uid=joe,cn=accounts,dc=**stanford,dc=edu > > People are not accounts. ;) Yeah, that identity vs. account thing is a somewhat rare insight, especially when it comes to applications that need more than just account or identity data from directories. If you do seperate them, you will almost certainly require some feature to build virtual objects/views containing data from both, accounts and the corresponing identity. Using persistent identifiers in RDNs for identities as well as accounts can simplify many use cases. Whether it is worth the effort is something that you must decide for yourself based on the complexity of the required migration an what applications/services would be affected. Regards, Linus
