7

I'm not sure whether it's better to nest groups under each of my organizational units or to make an organization unit directly under the root DN just for groups. Is one considered best practice over the other? I want to keep my configuration as vanilla as possible to maximize compatibility with LDAP-aware applications.

My immediate needs include:

  1. SSO with Atlassian Crowd
  2. Google Apps Directory Sync (LDAP Groups -> Mailing Lists)
  3. pGina for Windows Authentication

Here is a diagram showing the two strategies I'm considering:

enter image description here

jscott
  • 24,484
  • 8
  • 79
  • 100
Jeff
  • 496
  • 3
  • 10
  • 2
    Not sure what the "best" way is, but I certainly prefer groups as child objects of their respective organizations. Makes filter building and delegation much simpler to manage. – jscott Oct 15 '13 at 14:12
  • 1
    I'm not aware of a best practice between the 2 methods, but I would agree with @jscott that method B is easier to manage and makes more logical sense. I don't think LDAP-aware apps care where in the directory the objects are stored as long as they know where/how to find them. – TheCleaner Oct 15 '13 at 14:22
  • I've run into the issue where a vendor claims to support LDAP, but they don't let you specify the objectClass for groups or users and various other nonsense. I didn't know if one was less prone to this. It's to the point where I may need a proxy to rewrite the requests. – Jeff Oct 15 '13 at 14:31

2 Answers2

6

According to the AD design guidance, there are 2 things to consider when designing your structure: 1)delegation of administrative control and 2)group policies.

Since Group Policies don't apply to groups, you're basically left with one - delegation of Administrative control. Your model B gives the option to do some local delegation of administrative tasks at each school, which might be something you'll implement, so that's what I would have gone for.

I've seen examples of further dividing groups into separate OUs by group type, such as application group, policy group, permission group, and so on.

Trondh
  • 4,201
  • 24
  • 27
  • I do have group policies. I like the idea of having separate OUs for application, policy and permission groups. This answered which is best for my use case. Thanks! – Jeff Oct 15 '13 at 14:56
1

I think it would be best to keep all the groups which contain members from only a single school under the same OU, And have a seperate OU at the root for interSchool groups. It will help in the management of your AD in the Long run.

Karthikk Dhandapani
  • 11
  • 2
  • Karthikk, this is what I ended up doing. My reasoning was in-line with yours. Thanks. – Jeff Oct 28 '13 at 13:22