The ASF LDAP system

Posted on: 2010-02-22 22:17:39+00:00

When we decided some time ago to start using LDAP for auth{n,z} we had to come up with a sane structure. This is what we have thus far: 

 dc=apache,dc=org
      |   ou=people,dc=apache,dc=org
      |   ou=groups,dc=apache,dc=org
           |   ou=people,ou=groups,dc=apache,dc=org
           |   ou=committees,ou=groups,dc=apache,dc=org

 As well as other OUs that contain infrastructure related objects.

So with "dc=apache,dc=org" being our basedn, we decided we needed to keep the structure as simple as possible and placed the following objects in the respective OUs:

• User accounts -  "ou=groups,dc=apache,dc=org"
• POSIX groups - "ou=groups,dc=apache,dc=org"
• User Groups  - "ou=people,ou=groups,dc=apache,dc=org"
• PMC/Committee groups - "ou=committees,ou=groups,dc=apache,dc=org"

Access to the LDAP infrastructure is connection limited to hosts within our co-location sites.  This is essentially to help prevent unauthorised data leaving our network.