The ASF LDAP system

Posted on: 2010-02-22 22:17:39+00:00

When we decided some time ago to start using LDAP for auth{n,z} we had to come up with a sane structure. This is what we have thus far: 

 dc=apache,dc=org
      |   ou=people,dc=apache,dc=org
      |   ou=groups,dc=apache,dc=org
           |   ou=people,ou=groups,dc=apache,dc=org
           |   ou=committees,ou=groups,dc=apache,dc=org

 As well as other OUs that contain infrastructure related objects.

So with "dc=apache,dc=org" being our basedn, we decided we needed to keep the structure as simple as possible and placed the following objects in the respective OUs:

  • User accounts -  "ou=groups,dc=apache,dc=org"
  • POSIX groups - "ou=groups,dc=apache,dc=org"
  • User Groups  - "ou=people,ou=groups,dc=apache,dc=org"
  • PMC/Committee groups - "ou=committees,ou=groups,dc=apache,dc=org"
Access to the LDAP infrastructure is connection limited to hosts within our co-location sites.  This is essentially to help prevent unauthorised data leaving our network. 

Copyright 2024, The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache® and the Apache feather logo are trademarks of The Apache Software Foundation.