An LDAP DIT
Location, location, location
© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
- A basic DIT
The directory information tree (DIT) is the basic layout of your LDAP tree. It more or less describes which information can be found where in the tree. You can of course always search the tree, but a good DIT makes browsing the tree easier. With this document we are trying to provide you with a DIT design that is hopefully logical, easy to use and provides for enough room to also contain legacy information.
Since new ideas arise and old ones are thrown out of the window before we have new ones, this design will always be in some kind of flux. We hope however that is will help you design your own DIT.
A basic DIT
- Directory Security Objects. A store for accounts that need to be able to access the directory tree, without being a real account. These accounts should be limited/enabled through ACLs in the server configuration.
- A collection of persons, with or without account control information. Historically this is often called ou=accounts, but I think this could contain more then just accounts, it can also contain addresbook information. The related objectClass is person, and plural is people. Of course if could contain accounts that are not related to a person, but you can't have it all :)
- A collection of devices (switches, routers, PCs) within the network, with or without account control information. Microsoft calls this ou=computers while most Unix-based systems call this ou=hosts. The related objectClass is called device and so it is more logical to call it devices.
- A collection of groups, mostly used to group persons and devices
- Application specific data, it would probably have been better named services, but that name is reserved, historically, for a LDAPtized /etc/services ou.
- A collection of networks and IP addresses (tied to MAC addresses).