LDAP layout question

I am very new to LDAP & just trying to learn. I am using openldap on debian.

Can someone clarify this - or alternately point me to some link which will clarify these basic concepts?

Let's say I have the following situation I want represent in ldap

I am running a company. The company sells servers which are installed at customer sites. The company sells some servers directly and some through resellers. Company has a central administration tool which can manage all customer servers. I want to have different access permissions when someone logs into the server.

There are 3 levels of permissions P1, P2 & P3.

there are logins for company employees, reseller employees & also for customer employees.

Each employee's access will be decided by whose employee he is - My employees will have access to all servers - Reseller's employees will have access to only servers which have been sold by the reseller. - Customer's employees will have access only to servers which belong to the customer.

Even amongst all these employees what level of access they have will depend on whether they have P1, P2, or P3 permissions.

i.e. My employee with P3 access can do all operations for all servers. My employee with P1 access can do limited operations on all servers Reseller's employee with P1 access can do limited operations on all servers on all servers which have been sold through that reseller & so on and so forth.

This is what I am starting with dn: dc=mycompany,dc=com objectclass: organization objectclass: dcObject o: mycompany.net dc: mycompany

# Perms #
dn: ou=perms, dc=mycompany,dc=com
objectclass: organizationalUnit

dn: cn=p1, ou=perms, dc=mycompany,dc=com
objectclass: organizationalRole
cn: p1

dn: cn=p2, ou=perms,dc=mycompany,dc=com
objectclass: organizationalRole
cn: p2


# Reseller #
dn: ou=resellers, dc=mycompany,dc=com
objectclass: organizationalUnit

dn: cn=r1, ou=resellers, dc=mycompany,dc=com
objectclass: organizationalUnit
member: uid=xyz, ou=unames, dc=mycompany,dc=com

dn: cn=r2, ou=resellers, dc=mycompany,dc=com
objectclass: organizationalUnit
member: uid=abc, ou=unames, dc=mycompany,dc=com


# Customers #

dn: ou=customers, dc=mycompany,dc=com
objectclass: organizationalUnit

dn: cn=c1, ou=customers, dc=mycompany,dc=com
objectclass: organizationalUnit
member: uid=mno, ou=logins, dc=mycompany,dc=com
member: uid=pqr, ou=logins, dc=mycompany,dc=com

dn: cn=c2, ou=customers, dc=mycompany,dc=com
objectclass: organizationalUnit
member: uid=mno2, ou=logins, dc=mycompany,dc=com


// unames
dn: ou=unames, dc=mycompany,dc=com
objectclass: organizationalUnit
ou: logins

dn: uid=abc, ou=unames, dc=mycompany,dc=com
objectclass: inetOrgPerson
cn: a
sn: bc
employeeType: cn=p2, ou=roles,dc=mycompany,dc=com

dn: uid=pqr, ou=logins, dc=mycompany,dc=com
objectclass: inetOrgPerson
cn: p
sn: qr
employeeType: cn=p1, ou=roles, dc=mycompany,dc=com

Not sure if this is correct. But even if this is correct, I am getting confused beyond this

How do I have servers? Let's say I create an ou=servers,dc=mycompany,dc=com Then I have one entry for each server cn=srv1, ou=servers,dc=mycompany,dc=com etc.

How do see which server belongs to which customer. Do I add a member: inside the customer? In that case, the customer will have some members who are employees & some members which are servers. Is that OK?

Or is there a better way to do it?

How do I represent direct customers?

Should I create a reseller called direct & put direct customers in those & then use code logic to treat it as a special customer?