[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Best way to manage multiple accounts

fre, 14.05.2004 kl. 20.00 skrev adp:

> This is a common issue I'm sure, and I'm looking for suggestions.
> We have a group people, Tim, Bob, and Phil. Each person has at least one
> account. In addition, Bob and Phil need access to some applications that
> need special usernames or passwords, and so they need more than one entry in
> LDAP. (My thoughts at least.)
> What is the best way to arrange this?

Put them in a group? That's what I do for people who have to manage
others, change others' details, access apps and so on:

dn: cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl
objectClass: top
objectClass: groupOfNames
member: cn=evy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
member: cn=tonni,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
member: cn=billy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
cn: peoplemanagers

access to dn.subtree=ou=people,ou=groups,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read

> I'm thinking that we need one subtree that is The Person (like Bob and his
> contact information). We can then have another subtree for The Accounts (a
> simpleSecurityObject probably). So perhaps something like:
> ou=People,root
> ou=Accounts,root
> Now since we have to support multiple applications, should we further extend
> this?
> ou=App1,ou=Accounts,root
> ou=App2,ou=Accounts,root
> ou=App3,ou=Accounts,root
> How do you solve this problem?

My version is 2.2.11. Openldap is extremely flexible in granting access.
One of the most powerful tools is Posix regexps. If you have a very
recent version, 'man slapd.access' will explain a lot.

> Also, I want to be able to view cn=bobemail,ou=App3,ou=Accounts,root and say
> "This belongs to uid=bob,ou=People,root" easily. Is there a standard way to
> point all of my accounts to a single "I own this" entry somewhere like
> ou=People?

 Crafted ldapsearch or ldapwhoami command-line shell scriptlets should
do it. Don't know of any eDirectory-type GUI that does this. Of course,
with PHP4 or Perl CGIs the sky's the limit ;) There's a new phpldapadmin
out, but I haven't looked at it yet.

> This is more of a design question than a technical one, but I'm open to
> responses both about the design and technical nature of this issue.

You're your own architect, different people on this list have laid forth
many different schemes for doing what they want.




We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl