dn: ou=Customers,@SUFFIX@
objectclass: organizationalUnit
ou: Customers
description: Customers at @ORG@

dn: ou=SubSystems,@SUFFIX@
objectclass: organizationalUnit
ou: SubSystems

dn: ou=Mail,ou=SubSystems,@SUFFIX@
objectclass: organizationalUnit
ou: Mail

dn: ou=SAM,@SUFFIX@
objectclass: organizationalUnit
ou: SAM
description: Security Accounts Manager (POSIX + Windows stuff)

dn: ou=Groups,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: Groups
description: Groups at @ORG@

dn: ou=Hosts,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: Hosts
description: Hosts at @ORG@

dn: ou=Services,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: Services
description: System services at @ORG@

dn: ou=idMap,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: idMap
description: Samba idmap subsystem

dn: ou=Entities,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: Entities
description: Human and non-human entities

dn: ou=People,ou=Entities,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: People
description: Users in @ORG@

dn: ou=System,ou=Entities,ou=SAM,@SUFFIX@
objectClass: organizationalUnit
ou: System
description: Non-human entities in @ORG@

dn: ou=Access Control,@SUFFIX@
objectClass: organizationalUnit
ou: Access Control

dn: ou=Groups,ou=Access Control,@SUFFIX@
objectClass: organizationalUnit
ou: Groups

# Empty groups not permitted - create as needed instead
#
#dn: cn=Replicants,ou=Groups,ou=Access Control,@SUFFIX@
#objectClass: groupOfUniqueNames
#cn: Replicants

dn: ou=Administrators,ou=Groups,ou=Access Control,@SUFFIX@
objectClass: organizationalUnit
ou: Administrators

# Empty groups not permitted - create as needed instead
#
#dn: cn=DSA,ou=Administrators,ou=Groups,ou=Access Control,@SUFFIX@
#objectClass: groupOfUniqueNames
#cn: DSA
#description: Directory System Agent administrators

dn: ou=Entities,ou=Access Control,@SUFFIX@
objectClass: organizationalUnit
ou: Entities
description: DSA-only entities