Re: separate login/password for several services?

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Aug 09, 2013 at 01:20:55PM +0300, Zeus Panchenko wrote:

> is there way to avoid target service uid clashing in this case?
> 
> lets say I have two users with name John and I need to give each one
> acces to some service, but both of them wish the service uid=john (for
> example, it is common issue for MTA serving different mail domains with
> different user space for each one)

The first question to ask is how the application is going to tell the
difference between the two users when someone tries to login as 'john'.

If the users are john@a.b.com and john@x.y.org then why not use the
full mail address as the uid?

> so what is needed to provide uniqueness of attribute `uid' for each 
> 
> dn: authorizedService=target-service,uid=target-user,ou=People,dc=org

If each 'john' account exists in a distinct identifiable namespace then
you could either put the name of the namespace in the account entry or
you could use it as part of the LDAP hierachy. The application can
then formulate a search that finds the correct entry in one operation.

Namespace in account:

	Search base: ou=People,dc=org
	Search filter: "(&(uid=target-user)(namespace=x.y.com)(authorizedService=target-service))"

Namespace in hierachy:

	Search base: ou=People,namespace=x.y.com,dc=org
	Search filter: "(&(uid=target-user)(authorizedService=target-service))"

[ 'namespace' is used as an example here. There is no such attribute
type in the standard schema ]

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------