Re: Maintaining information about who owns what..

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Saturday, December 11, 2004 11:33 PM -0600 fuser9bb@hotpop.com wrote:

> I am using OpenLDAP 2.2.
>
> I have two types of entries in our directory: people and accounts. I want
> to
> be able to easily determine which accounts are owned by which people. (A
> people entry belongs to one actual person, while a person may own several
> accounts.) The current thinking is to use a local objectclass and
> attribute
> (localAccount). So we may have:
>
> dn: cn=123,...
> objectClass: inetOrgPerson
> objectClass: localPerson
> cn=123
> localAccount: uid=abc,...
> localAccount: uid=efg,...
>
> And our account:
>
> dn: uid=abc,...
> objectClass: inetOrgPerson
> objectClass: localAccount
> uid=abc
> localPerson: cn=123,...
>
> This way its easy to map back and forth between entries.
>
> I would think that locating which accounts belong to which people is a
> common occurance. It can be difficult to enforce a one person/one account
> rule in many organizations.
>
> Better suggestions?

OpenLDAP supports sets, which can allow you to do this type of thing.  Do 
people bind into the directory as one of their accounts?  If so, it might 
look something like:

access to dn.children="cn=people....."
 by set.exact="this/localAccount & user/dn" read

or if they bind to the people tree

access to dn.children="cn=account..."
 by set.exact="this/localPerson & user/dn" read

Those may be a bit incorrect, but hopefully you get the idea.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html