[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unique user accounts

To: openldap-software@OpenLDAP.org
Subject: Re: Unique user accounts
From: Markus Schaber <schaber@scan-plus.de>
Date: Mon, 29 Sep 2003 11:11:36 +0200
In-reply-to: <200309271908.17055.peter@adpm.de>
Organization: Scan-Plus GMBH, Ulm
References: <20030922101451.3b7af1c4.schaber@scan-plus.de> <20030924184345.3ac321ec.schaber@scan-plus.de> <200309271908.17055.peter@adpm.de>

Hi, Peter,

On Sat, 27 Sep 2003 19:08:17 +0200
Peter Marschall <peter@adpm.de> wrote:

> > > Our scenario:
> > > Our customers get unique, but ugly identifiers which are created
> > > by a mechanism not under our control.
> > Those identifiers are, as I wrote, unique, and thus serve well as an
> > internal ID tag. So I don't need an "atomic incremental" scheme for
> > creating unique ids in a near-sequential way.
> > > Now we want to enable them to create alias names via web
> > > interface. As this alias names are to be used for creation of web
> > > urls and email adresses, they must be unique.
> > > Now, how can I ensure in a bullet-proof way that an alias name is
> > > unique?
> Don't test and write, but write and test the result.
> If the write is successful, then use this value.
> If the write fails with the error message that such an entry is
> already there(LDAP_ALREADY_EXISTS) then let the user try another
> alias.
> The LDAP server has to make sure that no two objects with the same
> name get entered into the same container in the directory.

Yes, but this only works when the alias is part of the dn which is not
the case in our scenario. The ugly, machine generated uid we get by our
partners and we don't have much influence on is already unique and part
of the dn.

Additionally, as you write, all objects have to exist in the same
container, whereas our account objects are structured in a 5-level deep
tree.

The alias is a convenience tribute to our customers so they can
identify themselves in the preferences page using their nick. So using
your method would require to have one container object where we create a
sub object for every alias. And it is not waterproof as well as an app
theoretically might crash between working on this alias object and
committing the corresponding changes to the real account object, thus
leaving inconsistencies.

Maybe we have to go this way in the future, but in the moment we try to
live with the external lock, to avoid such object duplication.

Thanks for your ideas,
Markus
-- 
-----------------------------------------------------------------------
|  ScanPlus GmbH NOC Ulm                       Tel +49 731 92013 106  |
|  Koenigstr. 78 * D 89077 Ulm                 Fax +49 731 92013 290  |
|  http://www.scan-plus.de/                 Amtsgericht Ulm HRB 3220  |
|  mailto:info@scan-plus.de           Geschaeftsf.: Juergen Hoermann  |
-----------------------------------------------------------------------
Diese  E-Mail  koennte  vertrauliche  und/oder  rechtlich   geschuetzte
Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtuemlich erhalten haben, informieren Sie  bitte  sofort
den Absender und vernichten Sie diese  Mail.  Das  unerlaubte  Kopieren
sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. 
-----------------------------------------------------------------------
This e-mail may contain  confidential  and/or  privileged  information.
If you are not the intended recipient (or  have  received  this  e-mail
in error) please notify the sender immediately and destroy this e-mail.
Any unauthorised copying, disclosure or distribution  of  the  material
in this e-mail is strictly forbidden.
-----------------------------------------------------------------------

References:
- Generating unique object ids
  - From: Markus Schaber <schaber@scan-plus.de>
- Unique user accounts
  - From: Markus Schaber <schaber@scan-plus.de>
- Re: Unique user accounts
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Re: Linux LDAP authentication
Next by Date: Re: Unique user accounts
Index(es):
- Chronological
- Thread