Figure A–1shows a logical view of the organizational structure provided by the sample ldif file. (Figure A–1 adds a shared organization, HIJ, that does not exist in the file.)
The sample ldif file contains the following organizations under the root-suffix nodes:
VIS provider organization. The following organizations are managed by the SPA for the VIS provider organization:
SESTA, a full organization. The SESTA organization has its own domain, sesta.com.
DEF, a shared organization. The DEF organization uses the shared domain, siroe.com.
ESG provider organization. No subordinate organizations are defined for this provider organization.
The ldif file defines the following administrator roles for these organizations:
An SPA for the VIS provider organization (user2@abc.com)
An SPA for the ESG provider organization (user2_def)
An OA for the SESTA organization (user1@abc.com)
An OA for the DEF organization (user1_def)
In a three-tiered directory hierarchy, a Directory Information Tree (DIT) does not look exactly like the logical view shown in Figure A–1. Organizations are implemented in the DIT in a somewhat different hierarchy.
For example, in a DIT, full domains must reside directly under the root suffix. Therefore, domain nodes are added under the root suffix to store LDAP information for shared domains (used by shared organizations) and for full organizations (which have their own domains).
Figure A–3 shows a Directory Information Tree (DIT) view of the sample organization data.
The example shown in Figure A–3, like the logical view shown in Figure A–1, contains the following organizations:
VIS and ESG (provider organizations)
DEF, a shared organization subordinate to the VIS provider organization
SESTA, a full organization subordinate to the VIS provider organization
The nodes in the sample organization file (da.sample.data.ldif) are as follows:
ugldapbasedn - This parameter represents the root suffix.
o=business - A node that contains all businesses in the directory.
o=SharedDomainsRoot - A node needed to contain the domains used by shared organizations.
In this Directory Information Tree, shared organizations subordinate to different service provider organizations can use the same shared domain. This can be done because both the provider organizations have nodes under the SharedDomainsRoot node.
o=ESGDomainsRoot and o=VISDomainsRoot - These nodes contain any full organizations that are subordinate to the ESG and VIS provider organizations.
Each provider organization that manages full organizations must have a node at this level (under the root suffix).
Multiple full organizations, each with its own domain, can exist under ESGDomainsRoot or VISDomainsRoot.
o=siroe.com - The shared domain. It is used by the shared organization, DEF.
o=VIS and o=ESG - These provider organization nodes contain any shared organizations subordinate to the VIS and ESG provider organizations.
For example, the shared organization, DEF, is subordinate to the VIS provider organization.
o=SESTA - The full organization. It has its own domain, sesta.com.
o=DEF - The shared organization. It uses the domain siroe.com.
ou=people - The standard LDAP organization unit required for containing users.
Some user DNs in the sample organization file shown in Figure A–3 are as follows:
For the user named user1_def, who belongs to the DEF organization:
dn: uid=user1_def,ou=People,o=DEF,o=VIS,o=siroe.com, \ o=SharedDomainsRoot,o=Business,ugldapbasedn |
For the user named user1, who belongs to the SESTA organization:
dn: uid=user1,ou=People,o=SESTA,o=VISDomainsRoot, \ o=Business,ugldapbasedn |