[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Maintaining information about who owns what..

--On Saturday, December 11, 2004 11:33 PM -0600 fuser9bb@hotpop.com wrote:

I am using OpenLDAP 2.2.

I have two types of entries in our directory: people and accounts. I want
be able to easily determine which accounts are owned by which people. (A
people entry belongs to one actual person, while a person may own several
accounts.) The current thinking is to use a local objectclass and
(localAccount). So we may have:

dn: cn=123,...
objectClass: inetOrgPerson
objectClass: localPerson
localAccount: uid=abc,...
localAccount: uid=efg,...

And our account:

dn: uid=abc,...
objectClass: inetOrgPerson
objectClass: localAccount
localPerson: cn=123,...

This way its easy to map back and forth between entries.

I would think that locating which accounts belong to which people is a
common occurance. It can be difficult to enforce a one person/one account
rule in many organizations.

Better suggestions?

OpenLDAP supports sets, which can allow you to do this type of thing. Do people bind into the directory as one of their accounts? If so, it might look something like:

access to dn.children="cn=people....."
 by set.exact="this/localAccount & user/dn" read

or if they bind to the people tree

access to dn.children="cn=account..."
 by set.exact="this/localPerson & user/dn" read

Those may be a bit incorrect, but hopefully you get the idea.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html