> for each department, there will be a parent node with dn: o=depertment1,
> dc=mycompany, dc=com.
> under this node, there will be many child entries with:
> dn: uid=username1, o=department1, dc=mycompany, dc=com
> objectclass : ....
> o: department1
> ......(other attributes/values)
>
> so if i change the parent node to dn:o=departmentnew, dc=mycompany, dc=com,
> am i correct to say
> that i should change all entries previously with dn:uid=username,
> o=department1, dc=mycompany, dc=com
> and o=department1 to o=department new? will ldap command line tool
> automatically & recursively change all child entries'
> dn and o attribures to the new department? if not, these users might have
> the wrong/old department info.
> may i know what is the command to change the dn: o=department ..... to
> o=departmentnew pls.
The o value in the DN won't need to be changed, but if you use
OpenLDAP, the o attribute in any child records will need to be changed
individually, though doing this isn't really that hard.
The ldapsearch tool can be used to find the records that need
changin, and the ldapmodify command line tool can be used to modify their
attributes, but you should consider using the Perl, Python, Java and C
LDAP APIs for regular LDAP maintenence tasks like this.
> > > 2. if a user change department, how can i update his dn to uid=username,
> > > o=newdept, dc=mycompany, dc=com?
> >
> > The LDAP API has methods to copy, move (rename), and delete entries. There
> > are also command line tools.
>
> may i know which command to move/rename the dn of a entry pls. i know other
> attributes can be modified/updated but i'm not sure how to move/rename the
> dn.
The command line tool is ldapmodrdn, though it has some limitations. Again,
you should look at the API for your language of choice for your
administration tasks.
> > > 5. what are the pros and cons of using "o" in the dn?
> >
> > It is really a matter of the structure you are hoping to use and the LDAP
> > policies and applications you intend to implement.
>
> ldap will be used largely for authentication by radius server, sendmail, ftp
> etc.
> the registration application is just making use of ldap database.
Certainly sounds like a good use of LDAP, though you could use pam_mysql
and achieve most of the same results with mysql.
> > > using method 2, the name space design is simpler: uid=username,
> > > dc=mycompany, dc=com. but i have to keep duplicate/two sets of
> department
> > > records. one in mysql and one in ldap. and they must be synchronise when
> any
> > > department is modified, deleted or added.
> > >
> > > i really have no idea what might be the complications for each method
> and
> > > which is a better way of designing.
> >
> > Basically, I would recommend sticking with mysql unless you plan on
> > leveraging LDAP for other applications and services. A LDAP server can be
> > a powerful tool, but poorly maintained and with irrelevant or incorrect
> > data it only serves as a source of disinformation or worse, a security
> > policy problem.
>
> if i use only (without the o=department in dn):
> dn: uid=username, dc=company, dc=com
> objectclass....
> o: department
> ..... (other attributes/values)
> can i query the ldap database and return only unique values(one value) for
> each department names?
> what is the command to do so?
This is easy with the shell tool. The command:
ldapsearch -b 'base dn' '(objectclass=organization)' o
will retrieve all 'o' attribute values from all objects of class
'organization'.
> thanks for enlightening me. i really appreciate your time & advice.
Sure. LDAP and directory services are really powerful tools, and I'm not
sure I could do justice to the options you have in using them in an
e-mail. I would strongly recommend you set one up and play with one for a
while, get used to the client API in a language you are comfortable with.
I started in the relational database world and it took me quite some time
to get used to thinking in LDAP. Once you make the transition, though, it
becomes fairly obvious that LDAP is a great tool for a number of
application and system needs.
thornton
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
