Re: separate login/password for several services?

[Dmitriy Kirhlarov <dimma@higis.ru>]

Just crazy idea...

several attributes for user passwords (userPassword1, userPassword2, 
...) in user account and proxy-mapping overlay (slapo-translucent? 
slapo-rwm?) with mapping attribute userPassword into userPassword1 or 
userPassword2 with dependencies from service IP.

WBR

On 09.08.2013 17:17, Zeus Panchenko wrote:
> Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
> > > lets say I have two users with name John and I need to give each one
> > > acces to some service, but both of them wish the service uid=john (for
> > > example, it is common issue for MTA serving different mail domains with
> > > different user space for each one)
> >
> > The first question to ask is how the application is going to tell the
> > difference between the two users when someone tries to login as 'john'.
> >
> > If the users are john@a.b.com and john@x.y.org then why not use the
> > full mail address as the uid?
>
> yes, it is what I was thought about too and I like the idea, though
> I wanted to check how correct/right is this way
>
> > > so what is needed to provide uniqueness of attribute `uid' for each
> > > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org
>
> perhaps I need to define more accurately what I mean:
>
> the uniqueness while *creating* the dn ... since for dn-s
>
> dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org
> dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org
> ...
> dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org
>
> I want to prevent the possibility to create the same uid=john-whatever-format-it-is
>
> now I do can ldapadd these ldif-s successfully
> ---[ ldif ]------------------------------------------------------------
> dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
> authorizedService: xmpp.org
> cn: john.doe@xmpp.org
> sn: xmpp.org
> description: John Doe XMPP account at xmpp.org
> uidNumber: 12345
> gidNumber: 23456
> homeDirectory: /nonexistent
> loginShell: /sbin/nologin
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: authorizedServiceObject
> uid: john
>
> dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org
> authorizedService: xmpp.org
> cn: john.smith@xmpp.org
> sn: xmpp.org
> description: John Smith XMPP account at xmpp.org
> uidNumber: 12356
> gidNumber: 23456
> homeDirectory: /nonexistent
> loginShell: /sbin/nologin
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: authorizedServiceObject
> uid: john
> ---[ ldif ]------------------------------------------------------------
>
> and
>
> ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))"
>
> outputs both of them, so I need the way I can know that uid: is not
> unique while creating the dn:
>
> so, what I need to prevent the possibility to create the second dn:,
> since it will contain the same uid value as the first one?
>
> > If each 'john' account exists in a distinct identifiable namespace then
> > you could either put the name of the namespace in the account entry or
> > you could use it as part of the LDAP hierachy. The application can
> > then formulate a search that finds the correct entry in one operation.
>
> I was thinking to use sn: attribute since it is login dedicated dn: and
> it is no need in it
>
> but all the same, my question remains oppened: how to not to create not
> unique uid for dn: authorizedService=target-service,uid= ?
>
> have I put in into UI for records management or it can be done on the
> server side (for example like indexes in SQL)