In a hosting environment, include the following attributes in the organization's entry:

o

objectClass with values of top and organization

4.2.3.4Naming other kinds of entries

The directory contains entries that represent many things, such as localities, states, countries, devices, servers, network information, and other kinds of data.

For these types of entries, use the cn attribute in the RDN if possible. Then, for naming a group entry, name it something like cn=administrators, dc=example,dc=com.

However, sometimes an entry's object class does not support the commonName attribute. Instead, use an attribute that is supported by the entry's object class.

There does not have to be any correspondence between the attributes used for the entry's DN and the attributes actually used in the entry. However, a correspondence between the DN attributes and attributes used by the entry simplifies administration of the directory tree.

4.3 Grouping directory entries

After creating the required entries, group them for ease of administration. The Directory Server supports several methods for grouping entries and sharing attributes between entries:

Using roles

Using class of service

The following sections describe each of these mechanisms in more detail.

4.3.1 About roles

Roles are an entry grouping mechanism. The directory tree organizes information hierarchically. This hierarchy is a grouping mechanism, though it is not suited for short-lived, changing organizations. Roles provide another grouping mechanism for more temporary organizational structures.

Roles unify static and dynamic groups. Static groups create a group entry that contains a list of members, while dynamic groups filter entries that contain a particular attribute and include them in a single group.

Each entry assigned to a role contains the nsRole attribute, a computed attribute that specifies all the roles to which an entry belongs. A client application can check role membership by searching the nsRole attribute, which is computed by the directory and is therefore always up-to-date.

Roles are designed to be more efficient and easier to use for applications. For example, applications can locate the roles of an entry rather than select a group and browse the members list.

Roles can organize groups in a number of different ways:

Enumerate the members of the role.

Having an enumerated list of role members can be useful for resolving queries for group members quickly.

Determine whether a given entry possesses a particular role.

Knowing the roles possessed by an entry can help determine whether the entry possesses the target role.

Enumerate all the roles possessed by a given entry.

Assign a particular role to a given entry.

Remove a particular role from a given entry.

48 Designing the directory tree