<div dir="ltr"><<a href="https://docs.google.com/file/d/0B96SIvDkZEUJU1JoZE8xTWh4UFk/edit?usp=sharing">https://docs.google.com/file/d/0B96SIvDkZEUJU1JoZE8xTWh4UFk/edit?usp=sharing</a>><br><div><br></div><div style>In the above, everything exists under ou=domains. In the case an operator wants to use only one single (default) domain, they'd set their configuration to use the root, rather than ou=domains, and would move everything up a level. Otherwise, a default domain exists as a normal domain in the tree.</div>
<div style><br></div><div style>In this DIT configuration, domains have roles and projects, projects have roles. Projects and roles have members. I believe there was discussion of implying membership in the project by membership of the roles. I'm not a huge fan of that, but I can modify this design if that's the preferred approach.</div>
<div style><br></div><div style>There's some major benefits of designing the DIT in this way:</div><div style><br></div><div style>1. It's possible to scope searches by depth and base to limit searches to domains and project and to find roles for domains and projects.</div>
<div style>2. The DIT can be extended by LDAP administrators for other uses. I can give you a ton of examples, as I'm doing this currently for per-project sudoers, service and group users, etc..</div><div style>3. Users, groups, and projects have no requirements for being globally unique. They are only unique per domain.</div>
<div style>4. For operators using the current implementation who don't want multiple domains, this is backwards compatible.</div><div style>5. For operators wanting to using multiple domains, they simply need to move their tree a level deeper. Of course this isn't a simple change, but it should be a matter of configuration for their applications, rather than development effort.</div>
<div style>6. Domains are a matter of hierarchy, and this uses LDAP's natural hierarchy.</div><div style><br></div><div style>Respectfully,</div><div style><br></div><div style>Ryan Lane</div><div style>Wikimedia Labs Lead</div>
<div style>Wikimedia Foundation</div></div>