i'm facing a strange LDAP configuration. Some admin, just created users as OU in OpenLDAP. To do it, the admin, changed some attributes in the OU like posixAccount, inetOrgPerson, organizationalPerson and person.. my question is what is the advantage to do it? It works, but i would like to know the drawbacks about it.
For one thing, the OU (organizationalUnit) doesn't have the shadowAccount objectClass, for expiring passwords/accounts, etc.
Where as, with a regular account, you get all the attributes that go with each of these objectClasses: person ,organizationalPerson, inetOrgPerson, posixAccount, shadowAccount
These are defined in: /etc/openldap/schema/
Can you describe your environment a little more?
In a generic case, you can modify the schema as you want. It can be ou=john, user=john, unicorn=john, etc; but it is against convention. I'd say that the admin did nobody a favor.
Creating users as container objects (assuming that is really what happened, as opposed to changing the naming attribute from cn= to ou=, which is basically a non-event) does have some interesting advantages.
There was a PBX system (I think Nortel, but I do not recall now) that when it used LDAP for storing users and phone info it created the users as container objects.
This breaks all sorts of things but the gain is that the User object can contain configuration objects. This allows a different logical grouping than is usually handled.
Instead of adding attributes for configuration, or assigning the equivalence of group membership to some configuration object, it lets you store the configuration as objects.
I think Citrix has an approach where it does this as well, to store some personalized settings.