Ben Steeves wrote:
On 7/21/06, Per Kristiansen <perk(a)funcom.com> wrote:
> I had hoped to let the people at HR do the data entry on the "soft"
> information , while the operations people do the "hard" information.
If people are going to need access to just a few attributes, or you
need to apply business rules to the process before it hits the
directory, you're probably best off building your own interfaces (or a
framework on which to build multiple interfaces). In our case I built
a PERL module that our devs use to talk to the directory that
implements our directory organization principles, neatly abstracting
it out so that they don't have to worry about mundate directory
matters but can concentrate on the business rules and user interface.
I like to think of LDAP as a building block toward creating an
infrastructure. Think of it like an SQL database, if you are familiar
with that - you can set it up, but the structure of the data, as well as
permissions on who can do what with the data, is more or less external
to the directory/db server. Creating a useful LDAP service, esp if you
are integrating lots of end user services against it, is sometimes a bit
of an art.
You can write a custom interface in perl, java, etc - I prefer php, but
that's just me (actually, php's LDAP api is pretty primitive, but php is
simple to code in, and has just enough api to do most things you'll
want)... Anyway, that lets me create an interface that looks exactly
the way I want it to, covers all the components I have working against
LDAP, allows me to apply business logic against it, etc.
You can find prebuilt generic ldap browsers, but these tend to either
not include business logic (see below), or aren't "aware" enough about
apps you have (for example, if you are using samba, there may be certain
restrictions of the values you put in ldap that a generic browser that
just lets you edit fields doesn't know about).
Interfaces that ARE aware of some apps you use tend to not know about
others - i.e. you might find one that creates users for samba, but knows
nothing about your other apps and how they use LDAP, so you may not get
a single "complete" admin tool.
ACI's in ldap can be used to restrict who can do what - i.e. an ops
group that can create users, and HR group that can edit address, phone,
etc info on existing users, etc. However, if you want to incorporate
business logic (i.e. make uid's all lower case, restrict the state field
to only upper case/valid US state abbreviations, etc), you have to have
an admin tool that enforces this - there is nothing inherent in LDAP to