I have ou=People and there I have stored our employees. I have to somehow divide them to our current employees and former employees. What I was thinking about was to create 2 groups, ou=Employees,ou=People and ou=FormerEmployees,ou=People but changing the entryDN of the uid seems to be a bit tricky...
Should I rather add a custom attribute, or create some group? What is the best practice?
There is none. What we do is leave them in their last post and deactivate them.
You could create a group and add them to that, but I think that moving them to a new OU is the best answer. Moving them to a separate OU performs your stated goal of 'dividing them into current employees and former employees'.
Additionally I would take these security precautions:
I would also take the precaution of changing their login shell to
/bin/falseNote that you should change the password and mark the account as disabled. You could delete the passwd hash or replace it with something you would later recognize such as LOCK
These steps will prevent former employees from being able to log in, or if they were to somehow guess the password, do anything useful.
In our Active Directory, we script this by disabling the account and moving it to a Terminated Employees OU. After 6mo in that OU they get deleted. It may be a lot of work to change each by hand, but that's what scripting is for.
Moving the account entry outside of the default search base for accounts is a good practice.
If your user entries are leaves or you are using back_hdb in OpenLDAP, then you can use the ldapmodrdn command or ldap_rename() function in the LDAP API to move them. If they are subtrees, then you may have to recursively copy the subtree and then recursively delete it.