Chapter 4. Designing the directory tree

A suffix is the name of the entry at the root of the directory tree, and the directory data is stored beneath it. The directory can contain more than one suffix. You can use multiple suffixes if there are two or more directory trees of information that do not have a natural common root. By default, the standard Directory Server deployment contains multiple suffixes, one for storing data and the others for data required by internal directory operations, such as configuration information and the directory schema.

In a single enterprise environment, you can choose a directory suffix that aligns with a DNS name or Internet domain name of the enterprise. For example, if the enterprise owns the domain name of example.com, then the directory suffix is dc=example,dc=com. The dc attribute represents the suffix by breaking the domain name into its component parts. Normally, you can use any attribute to name the root suffix. However, for a hosting organization, you must limit the root suffix to the following attributes:

These attributes provide interoperability with subscriber applications. For example, a hosting organization can use these attributes to create a root suffix o=example_a, st=Washington,c=US for one of its clients example_a.

Using an organization name followed by a country designation is typical according to the X.500 naming convention for suffixes.

For example, you can create separate suffixes for example_a and example_b and store them in separate databases.

You can store databases on a single server or multiple servers depending on resources limits.

Decide whether to use a flat or a hierarchical tree structure. Try to make the directory tree as flat as possible. However, a certain amount of hierarchy can be important later when information is partitioned across multiple databases, when preparing replication, or when setting access controls.

The structure of the tree involves the following steps and considerations:

You need to decide which attributes to use when naming the entries within the structure after designing the hierarchy of the directory tree. When you choose one or several attribute values, you form a relative distinguished name (RDN). The RDN is the left-most part of a DN, and the attribute you choose for that part is the naming attribute. The naming attribute sets a unique name for the entry. For example, the DN uid=bjensen,ou=people,dc=example,dc=com has the RDN uid=bjensen.

The attributes you choose depend on the type of entry you are naming.

Consider the following when naming entries:

When you create entries, define the RDN within the entry. With the defined RDN within the entry, the entry can be located more easily. This is because searches look for entries based on attribute values stored in the entry itself and not based on the actual DN.

Attribute names have a meaning, so try to use the attribute name that matches the type of entry it represents. For example, do not use l (location) to represent an organization, or c (country) to represent an organizational unit.

The entry names define the directory tree structure. Each branch point creates a new link in the hierarchy.

                                                                  dc=example,dc=com  =>  root suffix
                                                        ou=People,dc=example,dc=com  =>  org unit
                                          st=California,ou=People,dc=example,dc=com  =>  state/province
                          l=Mountain View,st=California,ou=People,dc=example,dc=com  =>  city
           ou=Engineering,l=Mountain View,st=California,ou=People,dc=example,dc=com  =>  org unit
uid=jsmith,ou=Engineering,l=Mountain View,st=California,ou=People,dc=example,dc=com  =>  leaf entry

When you change the naming attribute of an entry, the entry RDN, you perform a modrdn operation. This modifying operation moves the entry within the directory tree. For leaf entries (entries with no children), modrdn operations change only an RDN part, the parent entries stay the same.

For subtree entries, the modrdn operation renames the subtree entry itself and also changes the DN components of all of the children entries under the subtree.

A similar action to renaming a subtree is moving an entry from one subtree to another. This expanded type of modrdn operation simultaneously renames the entry, even if it is the same name, and sets a newsuperior attribute that moves the entry from one parent to another.

Directory Server uses entryrdn.db index to perform new superior and subtree rename operations. Directory Server identifies each entry by a self link, parent link, and any children links. The entryrdn.db index presents parents and children as attributes to an entry and describes every entry by a unique ID and its RDN, rather than the full DN.

The entryrdn.db index has the following format:

numeric_id:RDN => self link
     ID: ; RDN: "rdn"; NRDN: normalized_rdn P:RDN => parent link
     ID: ; RDN: "rdn"; NRDN: normalized_rdn C:RDN => child link
     ID: #; RDN: "rdn"; NRDN: normalized_rdn

For example, the ou=people subtree has the dc=example,dc=com parent and the uid=jsmith child entries. The entryrdn.db index has the following content:

4:ou=people
   ID: 4; RDN: "ou=people"; NRDN: "ou=people"
P4:ou=people
   ID: 1; RDN: "dc=example,dc=com"; NRDN: "dc=example,dc=com"
C4:ou=people
   ID: 10; RDN: "uid=jsmith"; NRDN: "uid=jsmith"

Consider the following when you perform rename operations:

A group is a collection of users. Directory Server has several group types that reflect the type of memberships allowed, such as certificate groups, URL groups, and unique groups that have only unique members. You define each type of group by an object class, such as groupOfUniqueNames, and a corresponding member attribute, such as uniqueMember.

The type of group identifies the type of members. The group configuration depends on how Directory Server adds members to the group. Directory Server has two group types:

Groups do not perform any operation on entries, however LDAP clients can manage groups to perform operations.

4.3.1.2. Adding automatically new entries to groups

You can apply password policies, access control lists, and other rules based on group membership. With groups, you can apply policies consistently and reliably across the directory.

Automatically assigning new entries to groups when a new entry is created ensures that Directory Server immediately applies appropriate policies and functionality to those entries without administrator actions.

With the Automembership plug-in, a static group can act like a dynamic group. The Automembership plug-in uses a set of rules based on entry attributes, directory location, and regular expressions to assign a user automatically to a specified group.

There can be instances where the entries that match the LDAP search filter should be added to different groups depending on the value of other attributes. For example, you need to add machines to different groups depending on their IP address or physical location. Or you need to place users to different groups depending on their employee ID number.

Automember definitions are a set of nested entries, with the Auto Membership plug-in container, then the automember definition, and then any regular expression conditions for that definition.

Note

Directory Server assigns entries to a group automatically only when entries are newly added to Directory Server. For existing entries or entries that you modified to meet an automember rule, run the fix-up task to assign the proper group membership.

Roles behave as both a static and a dynamic group. With a group, Directory Server adds entries to a group entry as members. With a role, Directory Server adds the role attribute to an entry and then uses that attribute to identify members in the role entry automatically.

With roles, you can organize users in the following ways:

Managed roles can do everything that you can do with static groups. You can filter the role members by using filtered roles, similar to the filtering with dynamic groups. Roles are easier to use than groups because they are more flexible in their implementation and reduce client complexity.

You can specify members explicitly or dynamically by using role types. Directory Server supports the following types of roles:

You can activate or inactivate entire groups of entries in just one operation. You can temporarily disable the members of a role by inactivating the role to which they belong.

When you inactivate a role, a user still can bind to the server by using a role entry. However, the user cannot bind to the server by using any of the entries that belong to this role. Entries that belong to an inactivated role have the nsAccountLock attribute set to true.

When you inactivate a nested role, a user cannot bind to the server if it is a member of any role within the nested role. All entries that belong to a role that are direct or indirect members of the nested role have nsAccountLock set to true. Inactivating a nested role at any point in the nesting inactivates all roles and users under it.

Roles and groups can accomplish the same goals. Managed roles can do everything that static groups can do, while filtered roles can filter and identify members the same way as dynamic groups. Both roles and groups have advantages and disadvantages. Deciding whether to use roles, or groups, or a mix depends on balancing your requirements and server resources.

Roles reduce client-side complexity. With roles, the client application can check role membership by searching the nsRole operational attribute in entries. This multi-valued attribute identifies every role to which the entry belongs. From the client application point of view, the method for checking membership is uniform and is performed on the server side.

However, roles require increased server complexity. Evaluating roles is more resource-intensive for the Directory Server than evaluating groups because the server does the work for the client application.

Groups require smarter and more complex clients to use them effectively. For example, dynamic groups, from an application point of view, offer no support from the server to provide a list of group members. Instead, the application retrieves the group definitions and then runs the filter. User entries contain group membership information only if you configure the appropriate plug-ins.

The LDIF entries below show a virtual view hierarchy that is based on location. Any entry that resides below dc=example,dc=com and fits the view description appears in this view, organized by location.

dn: ou=Location Views,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
objectclass: nsView
ou: Location Views
description: views categorized by location


dn: ou=Sunnyvale,ou=Location Views,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
objectclass: nsView
ou: Sunnyvale
nsViewFilter: (l=Sunnyvale)
description: views categorized by location


dn: ou=Santa Clara,ou=Location Views,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
objectclass: nsView
ou: Santa Clara
nsViewFilter: (l=Santa Clara)
description: views categorized by location


dn: ou=Cupertino,ou=Location Views,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
objectclass: nsView
ou: Cupertino
nsViewFilter: (l=Cupertino)
description: views categorized by location

A subtree search based at ou=Location Views,dc=example,dc=com returns all entries below dc=example,dc=com which match the filters (l=Sunnyvale), (l=Santa Clara), or (l=Cupertino). However, a one-level search returns no entries other than the child view entries because all qualifying entries reside in the three descendant views.

The ou=Location Views,dc=example,dc=com view entry itself does not contain a filter. This feature facilitates hierarchical organization without the requirement to further restrict the entries contained in the view. Any view may omit the filter.

Although the example filters are very simple, the filters you use can be as complex as necessary. You can limit the type of entry that the view should contain. For example, to limit this hierarchy to contain only people entries, add an nsfilter attribute to ou=Location Views,dc=example,dc=com with the filter value (objectclass=organizationalperson).

Each view with a filter restricts the content of all descendant views, while descendant views with filters also restrict their ancestor contents. For example, creating the top view ou=Location Views first together with the new filter mentioned above would create a view with all entries with the organization object class. When the descendant views are added that further restrict entries, the entries that now appear in the descendant views are removed from the ancestor views. This demonstrates how virtual DIT views emulate the behavior of traditional DITs.

Although virtual DIT views emulate the behavior of traditional DITs, views can do something that traditional DITs cannot: entries can appear in more than one location. For example, to associate Entry B with both Mountain View and Sunnyvale, add the Sunnyvale value to the location attribute, and the entry appears in both views.