[Date Prev][Date Next]
Re: Best way to manage multiple accounts
Well, let me give a common scenario: A person has two email accounts. This
does happen. Now one solution would be to require that the user lose one
account. However, there may be political issues with that, so the second
solution is to support two accounts for that one user. How do others handle
My thoughts right now are to have a People ou that has one entry per person.
I then have an Accounts ou that has may have multiple accounts for one
Person. I'm thinking I can have an attribute such as accountBelongsTo: that
maps me to the right Person entry in People so that I can always determine
which accounts belong to which people.
Yes, I totally agree, everyone needs to design what works best for them. But
it's only prudent to ask around first because someone else may have come up
with a great solution already. :)
----- Original Message -----
From: "Tony Earnshaw" <firstname.lastname@example.org>
To: "Openldap list" <openldap-software@OpenLDAP.org>
Sent: Friday, May 14, 2004 5:09 PM
Subject: Re: Best way to manage multiple accounts
> fre, 14.05.2004 kl. 20.00 skrev adp:
> > This is a common issue I'm sure, and I'm looking for suggestions.
> > We have a group people, Tim, Bob, and Phil. Each person has at least one
> > account. In addition, Bob and Phil need access to some applications that
> > need special usernames or passwords, and so they need more than one
> > LDAP. (My thoughts at least.)
> > What is the best way to arrange this?
> Put them in a group? That's what I do for people who have to manage
> others, change others' details, access apps and so on:
> dn: cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl
> objectClass: top
> objectClass: groupOfNames
> member: cn=evy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> member: cn=tonni,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> member: cn=billy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> cn: peoplemanagers
> access to dn.subtree=ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> by dn=cn=admin,dc=billy,dc=demon,dc=nl write
> by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
> by * read
> > I'm thinking that we need one subtree that is The Person (like Bob and
> > contact information). We can then have another subtree for The Accounts
> > simpleSecurityObject probably). So perhaps something like:
> > ou=People,root
> > ou=Accounts,root
> > Now since we have to support multiple applications, should we further
> > this?
> > ou=App1,ou=Accounts,root
> > ou=App2,ou=Accounts,root
> > ou=App3,ou=Accounts,root
> > How do you solve this problem?
> My version is 2.2.11. Openldap is extremely flexible in granting access.
> One of the most powerful tools is Posix regexps. If you have a very
> recent version, 'man slapd.access' will explain a lot.
> > Also, I want to be able to view cn=bobemail,ou=App3,ou=Accounts,root and
> > "This belongs to uid=bob,ou=People,root" easily. Is there a standard way
> > point all of my accounts to a single "I own this" entry somewhere like
> > ou=People?
> Crafted ldapsearch or ldapwhoami command-line shell scriptlets should
> do it. Don't know of any eDirectory-type GUI that does this. Of course,
> with PHP4 or Perl CGIs the sky's the limit ;) There's a new phpldapadmin
> out, but I haven't looked at it yet.
> > This is more of a design question than a technical one, but I'm open to
> > responses both about the design and technical nature of this issue.
> You're your own architect, different people on this list have laid forth
> many different schemes for doing what they want.
> We make out of the quarrel with others rhetoric
> but out of the quarrel with ourselves, poetry.
> mail: billy - at - billy.demon.nl