In LDAP is it best to nest groups under organizational units or create an organization unit directly under the root dn just for groups?

I'm not sure whether it's better to nest groups under each of my organizational units or to make an organization unit directly under the root DN just for groups. Is one considered best practice over the other? I want to keep my configuration as vanilla as possible to maximize compatibility with LDAP-aware applications.

My immediate needs include:

  1. SSO with Atlassian Crowd
  2. Google Apps Directory Sync (LDAP Groups -> Mailing Lists)
  3. pGina for Windows Authentication

Here is a diagram showing the two strategies I'm considering:

enter image description here


Solution 1:

According to the AD design guidance, there are 2 things to consider when designing your structure: 1)delegation of administrative control and 2)group policies.

Since Group Policies don't apply to groups, you're basically left with one - delegation of Administrative control. Your model B gives the option to do some local delegation of administrative tasks at each school, which might be something you'll implement, so that's what I would have gone for.

I've seen examples of further dividing groups into separate OUs by group type, such as application group, policy group, permission group, and so on.

Solution 2:

I think it would be best to keep all the groups which contain members from only a single school under the same OU, And have a seperate OU at the root for interSchool groups. It will help in the management of your AD in the Long run.