In our schema we need to have users who will belong to
multiple groups. These groups are independent groups and do
not have any parent child relationship. So while defining the
ObjectClass for my user i have two options:
1) Have an attribute called - isMemberOf and make it of type
distinguishedName. This will be a list of all groups to which
a user belongs.
2) Have a multivalued attribute - groupName.
which option makes more sense. Assume the functionalities
that i need to support are:
1) Search all users belonging to a group
2) edit a user to add/remove a group from profile
3) Delete all the users belonging to a group
That's really totally up to you, and what makes sense for you and the
apps your LDAP server needs to support. Either way has pros and cons,
and you'll need to weigh those and figure out which one works best in
your particular situation.