[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: separate login/password for several services?

On Thu, Aug 01, 2013 at 10:41:25AM +0300, Zeus Panchenko wrote:

> I need to set separate credentials for each service I provide
> (optionally) to my users

That seems perverse - most of us work hard to *reduce* the number of
different usernames and passwords that each person has to use!

> I think of something like this:
> dn: uid=target-user,ou=People,dc=ibs
> userPassword: ******
> ...
> authorizedService: xmpp
> authorizedService: smtp
> authorizedService: pop
> authorizedService: imap
> authorizedService: mail
> ...
> loginSMTP: mail-send-login
> passwSMTP: xxx
> loginPOP3: mail-get-login
> passwPOP3: yyy
> ...
> loginXMPP: login-xmpp
> passwXMPP: zzz

You would end up creating two new attributes for each service type,
and OpenLDAP would still not check the passwords for you in a useful way.

Better method: Create a sub-entry below the user entry for each service.
The service-specific entry can use the standard 'uid' and 'userPassword'
attributes, and you just need to make sure that each service includes the
authorizedService attribute when searching for the entry to authenticate.
Something like this:

dn: uid=target-user,ou=People,dc=ibs
uid: target-user

dn: authorizedService=smtp,uid=target-user,ou=People,dc=ibs
authorizedService: smtp
uid: mail-send-login
userPassword: ******

dn: authorizedService=pop3,uid=target-user,ou=People,dc=ibs
authorizedService: pop3
uid: mail-get-login
userPassword: ******

Your SMTP server would issue searches of the form:


Your POP3 server would issue searches of the form:


|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |