[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: separate login/password for several services?
Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
> > lets say I have two users with name John and I need to give each one
> > acces to some service, but both of them wish the service uid=john (for
> > example, it is common issue for MTA serving different mail domains with
> > different user space for each one)
>
> The first question to ask is how the application is going to tell the
> difference between the two users when someone tries to login as 'john'.
>
> If the users are john@a.b.com and john@x.y.org then why not use the
> full mail address as the uid?
>
yes, it is what I was thought about too and I like the idea, though
I wanted to check how correct/right is this way
> > so what is needed to provide uniqueness of attribute `uid' for each
> > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org
perhaps I need to define more accurately what I mean:
the uniqueness while *creating* the dn ... since for dn-s
dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org
dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org
...
dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org
I want to prevent the possibility to create the same uid=john-whatever-format-it-is
now I do can ldapadd these ldif-s successfully
---[ ldif ]------------------------------------------------------------
dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
cn: john.doe@xmpp.org
sn: xmpp.org
description: John Doe XMPP account at xmpp.org
uidNumber: 12345
gidNumber: 23456
homeDirectory: /nonexistent
loginShell: /sbin/nologin
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
uid: john
dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org
authorizedService: xmpp.org
cn: john.smith@xmpp.org
sn: xmpp.org
description: John Smith XMPP account at xmpp.org
uidNumber: 12356
gidNumber: 23456
homeDirectory: /nonexistent
loginShell: /sbin/nologin
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
uid: john
---[ ldif ]------------------------------------------------------------
and
ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))"
outputs both of them, so I need the way I can know that uid: is not
unique while creating the dn:
so, what I need to prevent the possibility to create the second dn:,
since it will contain the same uid value as the first one?
> If each 'john' account exists in a distinct identifiable namespace then
> you could either put the name of the namespace in the account entry or
> you could use it as part of the LDAP hierachy. The application can
> then formulate a search that finds the correct entry in one operation.
I was thinking to use sn: attribute since it is login dedicated dn: and
it is no need in it
but all the same, my question remains oppened: how to not to create not
unique uid for dn: authorizedService=target-service,uid= ?
have I put in into UI for records management or it can be done on the
server side (for example like indexes in SQL)
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)