[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: separate login/password for several services?

To: Zeus Panchenko <zeus@ibs.dn.ua>
Subject: Re: separate login/password for several services?
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Fri, 9 Aug 2013 17:13:28 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20130809180546.9337@relay.ibs.dn.ua> <20130809175357.7824@relay.ibs.dn.ua>
User-agent: Mutt/1.5.21 (2010-09-15)

On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote:

> To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Please keep replies on the list so that they become searchable
and everyone can benefit.

> here is the diagram depicting what I am thinking about while talking :)
> 
> https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png

> I dedicate these DN-s for services, so each such DN *can and supposed to*
> use any (in theory) uid in the entry, the user can ask for

Do you reall want every user account on every service to have a
different username? (i.e. the user cannot request to be known as
'fred' on both the SMTP service and the IMAP service?

> in particular, I do not see another way to authenticate users of
> different domains(for email)/realms(for xmpp) against the same LDAP DB

That depends on how you provide the services. If the network address
of the services used by domain-A users is different from that used by
domain-B users then the server processes will know which domain they
are serving.  If the same network address is used to serve all domains
then you do indeed require the uids to be unique across domains (but
you probably do want to let fred@x.y.com use that ID for all
services).

> > It may be enough for you to simply prevent the non-uniqueness. You can
> > do that using the 'unique' overlay:
> 
> mmm ... will not it prevent non-uniqueness only for parent DN-s? while
> what I'm trying to ask (I'm sorry for muddled up explanation what I mean)
> about is - uniqueness for the uid *in* the entry ... so, the uniqueness
> of the attribute `uid' among all DN-s containing authorizedService=target-service

You could do that if you are prepared to have one config line for each
service. Something like:

overlay unique
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH)

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Follow-Ups:
- Re: separate login/password for several services?
  - From: Zeus Panchenko <zeus@ibs.dn.ua>

Prev by Date: Re: Schema Replication and data replication.
Next by Date: developing module that instantiates check_password() function
Index(es):
- Chronological
- Thread