Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Rather General LDAP Questions

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Rather General LDAP Questions

Chronological Thread 
  • From: Peter Schober <>
  • To:
  • Subject: Re: [grouper-users] Rather General LDAP Questions
  • Date: Fri, 20 Jun 2008 14:46:48 +0200
  • Organization: Vienna University Computer Center


[2008-06-20 13:33]:
> The first questions concerns the base DN format. Is there a specific
> technical reason (other than if you are using Active Directory) why
> one would prefer DNS format "dc=fu-berlin,dc=de" over the X.500
> format, "o=fu-berlin,c=de"? The former is sometimes described as
> "more flexible" and the later as somehow old-fashioned, but I
> haven't found a more exact description of the pros and cons.

RFC 2247 "defines an algorithm by which a name registered with the
Internet Domain Name Service [2] can be represented as an LDAP
distinguished name."
By attaching to DNS there are existing and established authorities
(ICANN, IANA, etc.) and methods for registering a name. For X.500
style naming there are no established bodies for registration of
names. E.g. in Germany some entity would need to guarantee uniquness
in c=de and resolve disputes regarding registering and use of
e.g. "o=fu-berin,c=de". (Note that I assume the use of ISO 3166
ALPHA-2 country codes as the "top level" names here, same as with

> The other question is whether, instead of using "ou=people", one
> could use "ou=accounts" in the sense of login names, instead. The
> thinking behind this is that, because individuals can have multiple
> accounts with different privileges, it would allow for easier
> administration of separation of privileges. On the other hand,
> should I be thinking about Signet for this?

To the first pqrt of your quesion: This is not a quesiton of
either-or. Some (Stanford[1] comes to mind) have both: a tree for
people and a seperate tree for accounts.

Generally giving out one account per role (with different privileges
attached) is possible but you always need to relate them somehow
(otherwise locking one account -- e.g. because of a violation of an
AUP -- has no effect on the other accounts the same person might have
access to, etc.). So why not have all the privileges of one person
with one object/account/record in the first place?




- vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Archive powered by MHonArc 2.6.16.

Top of Page