Chapter 4. Designing the Directory Tree44In a hosted organization, we also recommend that group entries used for directory administration belocated under the ou=Groups branch.4.2.3.3. Naming Organization EntriesThe organization entry name, like other entry names, must be unique. Using the legal nameof the organization along with other attribute values helps ensure the name is unique, such aso=example_a+st=Washington, o=ISP,c=US.Trademarks can also be used, but they are not guaranteed to be unique.In a hosting environment, include the following attributes in the organization's entry:• o• objectClass with values of top and organization4.2.3.4. Naming Other Kinds of EntriesThe directory contains entries that represent many things, such as localities, states, countries,devices, servers, network information, and other kinds of data.For these types of entries, use the cn attribute in the RDN if possible. Then, for naming a group entry,name it something like cn=administrators, dc=example,dc=com.However, sometimes an entry's object class does not support the commonName attribute. Instead, usean attribute that is supported by the entry's object class.There does not have to be any correspondence between the attributes used for the entry's DN andthe attributes actually used in the entry. However, a correspondence between the DN attributes andattributes used by the entry simplifies administration of the directory tree.4.3. Grouping Directory EntriesAfter creating the required entries, group them for ease of administration. The Directory Serversupports several methods for grouping entries and sharing attributes between entries:• Using roles• Using class of serviceThe following sections describe each of these mechanisms in more detail.4.3.1. About RolesRoles are an entry grouping mechanism. The directory tree organizes information hierarchically. Thishierarchy is a grouping mechanism, though it is not suited for short-lived, changing organizations.Roles provide another grouping mechanism for more temporary organizational structures.Roles unify static and dynamic groups. Static groups create a group entry that contains a list ofmembers, while dynamic groups filter entries that contain a particular attribute and include them in asingle group.Each entry assigned to a role contains the nsRole attribute, a computed attribute that specifies all ofthe roles to which an entry belongs. A client application can check role membership by searching thensRole attribute, which is computed by the directory and is therefore always up-to-date.
