LDAP for managing different types of users - Best Practices
I currently have an openLdap server set up as my primary *nix account storage and authentication system (I know, I should be using kerberos, that's the next step) using Ubuntu Server 8.04. I'm also using ldap to authenticate users for my bugzilla, mediawiki, svn and joomla apps.
I use the smbldap tools to create and modify internal staff so that staff members can access their central home directory and shared nfs export. Other users are managed through the php ldapadmin console.
Currently, I have three *nix groups set up;
* internal - staff and other internal company users
* external - contractors and suppliers who need access to bugzilla, svn, etc
* customers - the customers we service
Internal users also have access to other things such as NFS exports, while external and customer groups can only use our online apps.
Also users are stored in ou=People,dc=mycompanyname,dc=com, and I group users based on their *nix group. However, what I'm wondering is whether I should be using a organizational unit (ou) child, e.g.;
As there seems no point to storing external and customers groups as *nix groups because they will never have access to the server's filesystem.
Additionally, it is likely that Customers and Suppliers can be stored using the Address Book Entry schema as it seems to capture all the information we require.
I'm probably going to go with this new plan and am really just looking for validation that I'm on the right track. If I'm not on the right track what should I be doing to improve the structure of my ldap server?
Any help much appreciated.