RE: Best way to manage multiple accounts

[Steve Hodges <steve.hodges@oit.gatech.edu>]

Hello...

I am responding to an older thread, the last posting of which is Howard's
reply at

http://www.openldap.org/lists/openldap-software/200405/msg00307.html

I am trying to work out a similar situation.  For historical reasons, we are
in a situation where the same person may have multiple accounts and
passwords.  Ideally, we'd like to be able to represent a single user with a
single directory entry but allow that user to bind to the directory by using
one of possibly multiple usernames and passwords.

As suggested in the thread I mentioned, we have considered having one branch
of people entries and another branch of account entries, and some
multi-valued attribute to associate people with accounts.  Something like
this:

# Steven Hodges, people, gatech.edu
dn: cn=Steven Hodges,ou=people,dc=gatech,dc=edu
cn: Steven Hodges
telephoneNumber: 404-888-1212
GTaccountDN: uid=sh157,ou=accounts,dc=gatech,dc=edu
GTaccountDN: uid=steve,ou=accounts,dc=gatech,dc=edu

# sh157, accounts, gatech.edu
dn: uid=sh157,ou=accounts,dc=gatech,dc=edu
cn: sh157
sn: sh157
uid: sh157
userpassword: blah1

# steve, accounts, gatech.edu
dn: uid=steve,ou=accounts,dc=gatech,dc=edu
cn: steve
sn: steve
uid: steve
userpassword: blah2

One issue that I am not sure about is the following.  Let's say a user binds
to the directory as an entry within the 'accounts' branch; the user is then
authenticated with the DN of the 'account' entry.  Then the user wants to
change an attribute of his 'person' entry, such as telephonenumber.  Is the
best way to handle this to use ACLs to give the 'account' DN write access to
that person attribute?  For example:

access to telephonenumber
        by dnattr=GTaccountDN write
        by * read

Is this the best way to do this?