[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: separate login/password for several services?

Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
> > now I do can ldapadd these ldif-s successfully
> > ---[ ldif ]------------------------------------------------------------
> > dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
> > authorizedService: xmpp.org
> > ...
> > uid: john
> > 
> > dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org
> > authorizedService: xmpp.org
> > ...
> > uid: john
> > ---[ ldif ]------------------------------------------------------------
> Both those entries have one uid in the entry and a different one in
> the DN. The one in the DN refers to the parent entry in each case so
> it is legal but maybe not what you want.

no, it is, indeed 

I dedicate these DN-s for services, so each such DN *can and supposed to*
use any (in theory) uid in the entry, the user can ask for

in particular, I do not see another way to authenticate users of
different domains(for email)/realms(for xmpp) against the same LDAP DB

> It may be enough for you to simply prevent the non-uniqueness. You can
> do that using the 'unique' overlay:

mmm ... will not it prevent non-uniqueness only for parent DN-s? while
what I'm trying to ask (I'm sorry for muddled up explanation what I mean)
about is - uniqueness for the uid *in* the entry ... so, the uniqueness
of the attribute `uid' among all DN-s containing authorizedService=target-service

something like:

dn: authorizedService=target-service,uid=target-service_ALLOWED-USER,ou=People,dc=org

Zeus V. Panchenko				jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)