Chapter 10. Directory Design Examples

Example Corp.'s directory will be used by a messaging server, a web server, a calendar server, a human resources application, and a white pages application.

The messaging server performs exact searches on attributes such as uid, mailServerName, and mailAddress. To improve database performance, Example Corp. will maintain indexes for these attributes to support searches by the messaging server.

For more information on using indexes, see Section 6.4, “Using Indexes to Improve Database Performance”.

The white pages application frequently searches for user names and phone numbers. The directory therefore needs to be capable of frequent substring, wildcard, and fuzzy searches, which return large sets of results. Example Corp. decides to maintain presence, equality, approximate, and substring indexes for the cn, sn, and givenName attributes and presence, equality, and substring indexes for the telephoneNumber attribute.

Example Corp.'s directory maintains user and group information to support an LDAP server-based intranet deployed throughout the organization. Most of Example Corp.'s user and group information will be centrally managed by a group of directory administrators. However, Example Corp. also wants email information to be managed by a separate group of mail administrators.

Example Corp. plans to support public key infrastructure (PKI) applications in the future, such as S/MIME email, so it needs to be prepared to store users' public key certificates in the directory.

The root of the directory tree is Example Corp.'s Internet domain name: dc=example,dc=com.

The directory tree has four branch points: ou=people, ou=groups, ou=roles, and ou=resources.

All of Example Corp.'s people entries are created under the ou=people branch.

The people entries are all members of the person, organizationalPerson, inetOrgPerson, and examplePerson object classes. The uid attribute uniquely identifies each entry's DN. For example, Example Corp. contains entries for Babs Jensen (uid=bjensen) and Emily Stanton (uid=estanton).

They create three roles, one for each department in Example Corp.: sales, marketing, and accounting.

Each person entry contains a role attribute which identifies the department to which the person belongs. Example Corp. can now create ACIs based on these roles.

For more information about roles, see Section 4.3.2, “About Roles”.

They create two group branches under the ou=groups branch.

The first group, cn=administrators, contains entries for the directory administrators, who manage the directory contents.

The second group, cn=messaging admin, contains entries for the mail administrators, who manage mail accounts. This group corresponds to the administrators group used by the messaging server. Example Corp. ensures that the group it configures for the messaging server is different from the group it creates for Directory Server.

They create two branches under the ou=resources branch, one for conference rooms (ou=conference rooms) and one for offices (ou=offices).

They create a class of service (CoS) that provides values for the mailquota attribute depending on whether an entry belongs to the administrative group.

This CoS gives administrators a mail quota of 100GB while ordinary Example Corp. employees have a mail quota of 5GB.

See Section 5.3, “About Classes of Service” for more information about class of service.

They create an ACI that allows employees to modify their own entries.

Users can modify all attributes except the uid, manager and department attributes.

To protect the privacy of employee data, they create an ACI that allows only the employee and their manager to see the employee's home address and phone number.

They create an ACI at the root of the directory tree that allows the two administrator groups the appropriate directory permissions.

The directory administrators group needs full access to the directory. The messaging administrators group needs write and delete access to the mailRecipient and mailGroup object classes and the attributes contained on those object classes, as well as the mail attribute. Example Corp. also grants the messaging administrators group write, delete, and add permissions to the group subdirectory for creation of mail groups.

They create a general ACI at the root of the directory tree that allows anonymous access for read, search, and compare access.

This ACI denies anonymous write access to password information.

To protect the server from denial of service attacks and inappropriate use, they set resource limits based on the DN used by directory clients to bind.

Example Corp. allows anonymous users to receive 100 entries at a time in response to search requests, messaging administrative users to receive 1,000 entries, and directory administrators to receive an unlimited number of entries.

For more information about setting resource limits based on the bind DN, see the "User Account Management" chapter in the Red Hat Directory Server Administrator's Guide.

They create a password policy which specifies that passwords must be at least eight characters in length and expire after 90 days.

For more information about password policies, see Section 9.6, “Designing a Password Policy”.

They create an ACI that gives members of the accounting role access to all payroll information.

Back up the databases every night.

Use SNMP to monitor the server status.

For more information about SNMP, see the Red Hat Directory Server Administrator's Guide.

Auto-rotate the access and error logs.

Monitor the error log to ensure that the server is performing as expected.

Monitor the access log to screen for searches that should be indexed.