[Date Prev][Date Next]
Re: ask for some tips of unified identity using LDAP
--On Monday, March 15, 2004 12:30 PM -0300 "firstname.lastname@example.org"
I would like to ask for tips, on how people make a directory system to
make an unique login/password relating all individual information
relating to autorization for each service that an individual could
As service I mean physical access control to a room or building,
e-mail system authentication, dial-up authentication, RADIUS
authentication for other services depends on RADIUS, computer
use access by login in any computer anywhere in a university
campus, administrative system access login, intranet web access
by login, employee entrance control, etc.
This type of directory system exist ?
It can be done using LDAP ?
There is any similar system using OpenLDAP ?
How Universities and big companies do to implement an unique ID
for individuals in fact ?
We use a persons uid (not uidNumber) as their unique name. Thus, my unique
name at Stanford, is "quanah". We use Kerberos as our backend
authentication piece. All people entering the university must sign up for
a UID at a web application. That web application checks a backend database
that contains a list of all used UIDs.
We currently also use RADIUS off of our OpenLDAP servers as well. The way
we do this, is through "privilege groups". Our server has an attribute
that is multi-valued that stores all the privileges you have. So the
RADIUS servers queries to see if you belong to particular groups. If you
do, you get access via RADIUS. This also allows us to update and maintain
these groups through another web application.
As for logins, etc, you might want to see our posixAccount information at:
One of the main pieces you are missing here is using Kerberos as an
authentication mechanism that ties together with LDAP. With kerberos, we
can immediately deactivate people from having login access around the
For the web access piece, you might want to look at:
which ties together Kerberos & LDAP for authentication/authorization
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html