[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: separate login/password for several services?



Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
> > lets say I have two users with name John and I need to give each one
> > acces to some service, but both of them wish the service uid=john (for
> > example, it is common issue for MTA serving different mail domains with
> > different user space for each one)
> 
> The first question to ask is how the application is going to tell the
> difference between the two users when someone tries to login as 'john'.
> 
> If the users are john@a.b.com and john@x.y.org then why not use the
> full mail address as the uid?
> 

yes, it is what I was thought about too and I like the idea, though
I wanted to check how correct/right is this way

> > so what is needed to provide uniqueness of attribute `uid' for each 
> > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org

perhaps I need to define more accurately what I mean:

the uniqueness while *creating* the dn ... since for dn-s

dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org
dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org
...
dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org

I want to prevent the possibility to create the same uid=john-whatever-format-it-is 

now I do can ldapadd these ldif-s successfully
---[ ldif ]------------------------------------------------------------
dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
cn: john.doe@xmpp.org
sn: xmpp.org
description: John Doe XMPP account at xmpp.org
uidNumber: 12345
gidNumber: 23456
homeDirectory: /nonexistent
loginShell: /sbin/nologin
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
uid: john

dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org
authorizedService: xmpp.org
cn: john.smith@xmpp.org
sn: xmpp.org
description: John Smith XMPP account at xmpp.org
uidNumber: 12356
gidNumber: 23456
homeDirectory: /nonexistent
loginShell: /sbin/nologin
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
uid: john
---[ ldif ]------------------------------------------------------------

and 

ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))"

outputs both of them, so I need the way I can know that uid: is not
unique while creating the dn:

so, what I need to prevent the possibility to create the second dn:,
since it will contain the same uid value as the first one?

> If each 'john' account exists in a distinct identifiable namespace then
> you could either put the name of the namespace in the account entry or
> you could use it as part of the LDAP hierachy. The application can
> then formulate a search that finds the correct entry in one operation.

I was thinking to use sn: attribute since it is login dedicated dn: and
it is no need in it

but all the same, my question remains oppened: how to not to create not
unique uid for dn: authorizedService=target-service,uid= ?

have I put in into UI for records management or it can be done on the
server side (for example like indexes in SQL)

-- 
Zeus V. Panchenko				jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)