Subject: Grouper Users - Open Discussion List
- From: Peter Schober <>
- Subject: Re: [grouper-users] Rather General LDAP Questions
- Date: Fri, 20 Jun 2008 14:46:48 +0200
- Organization: Vienna University Computer Center
> The first questions concerns the base DN format. Is there a specific
> technical reason (other than if you are using Active Directory) why
> one would prefer DNS format "dc=fu-berlin,dc=de" over the X.500
> format, "o=fu-berlin,c=de"? The former is sometimes described as
> "more flexible" and the later as somehow old-fashioned, but I
> haven't found a more exact description of the pros and cons.
RFC 2247 "defines an algorithm by which a name registered with the
Internet Domain Name Service  can be represented as an LDAP
By attaching to DNS there are existing and established authorities
(ICANN, IANA, etc.) and methods for registering a name. For X.500
style naming there are no established bodies for registration of
names. E.g. in Germany some entity would need to guarantee uniquness
in c=de and resolve disputes regarding registering and use of
e.g. "o=fu-berin,c=de". (Note that I assume the use of ISO 3166
ALPHA-2 country codes as the "top level" names here, same as with
> The other question is whether, instead of using "ou=people", one
> could use "ou=accounts" in the sense of login names, instead. The
> thinking behind this is that, because individuals can have multiple
> accounts with different privileges, it would allow for easier
> administration of separation of privileges. On the other hand,
> should I be thinking about Signet for this?
To the first pqrt of your quesion: This is not a quesiton of
either-or. Some (Stanford comes to mind) have both: a tree for
people and a seperate tree for accounts.
Generally giving out one account per role (with different privileges
attached) is possible but you always need to relate them somehow
(otherwise locking one account -- e.g. because of a violation of an
AUP -- has no effect on the other accounts the same person might have
access to, etc.). So why not have all the privileges of one person
with one object/account/record in the first place?
- vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
- Rather General LDAP Questions, grouper, 06/20/2008
- Re: [grouper-users] Rather General LDAP Questions, Peter Schober, 06/20/2008
Archive powered by MHonArc 2.6.16.