An LDAP DIT

Location, location, location

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

1. introduction
2. A basic DIT

The directory information tree (DIT) is the basic layout of your LDAP tree. It more or less describes which information can be found where in the tree. You can of course always search the tree, but a good DIT makes browsing the tree easier. With this document we are trying to provide you with a DIT design that is hopefully logical, easy to use and provides for enough room to also contain legacy information.

Since new ideas arise and old ones are thrown out of the window before we have new ones, this design will always be in some kind of flux. We hope however that is will help you design your own DIT.

• dc=example,dc=com

ou=DSO

Directory Security Objects. A store for accounts that need to be able to access the directory tree, without being a real account. These accounts should be limited/enabled through ACLs in the server configuration.

ou=people

A collection of persons, with or without account control information. Historically this is often called ou=accounts, but I think this could contain more then just accounts, it can also contain addresbook information. The related objectClass is person, and plural is people. Of course if could contain accounts that are not related to a person, but you can't have it all :)

ou=devices

A collection of devices (switches, routers, PCs) within the network, with or without account control information. Microsoft calls this ou=computers while most Unix-based systems call this ou=hosts. The related objectClass is called device and so it is more logical to call it devices.

ou=groups

A collection of groups, mostly used to group persons and devices

ou=apps

Application specific data, it would probably have been better named services, but that name is reserved, historically, for a LDAPtized /etc/services ou.

ou=networks

A collection of networks and IP addresses (tied to MAC addresses).