Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
lets say I have two users with name John and I need to give each one
acces to some service, but both of them wish the service uid=john (for
example, it is common issue for MTA serving different mail domains with
different user space for each one)
The first question to ask is how the application is going to tell the
difference between the two users when someone tries to login as 'john'.
If the users are john@a.b.com and john@x.y.org then why not use the
full mail address as the uid?
yes, it is what I was thought about too and I like the idea, though
I wanted to check how correct/right is this way
so what is needed to provide uniqueness of attribute `uid' for each
dn: authorizedService=target-service,uid=target-user,ou=People,dc=org
perhaps I need to define more accurately what I mean:
the uniqueness while *creating* the dn ... since for dn-s
dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org
dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org
...
dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org
I want to prevent the possibility to create the same uid=john-whatever-format-it-is
now I do can ldapadd these ldif-s successfully
---[ ldif ]------------------------------------------------------------
dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
cn: john.doe@xmpp.org
sn: xmpp.org
description: John Doe XMPP account at xmpp.org
uidNumber: 12345
gidNumber: 23456
homeDirectory: /nonexistent
loginShell: /sbin/nologin
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
uid: john
dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org
authorizedService: xmpp.org
cn: john.smith@xmpp.org
sn: xmpp.org
description: John Smith XMPP account at xmpp.org
uidNumber: 12356
gidNumber: 23456
homeDirectory: /nonexistent
loginShell: /sbin/nologin
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
uid: john
---[ ldif ]------------------------------------------------------------
and
ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))"
outputs both of them, so I need the way I can know that uid: is not
unique while creating the dn:
so, what I need to prevent the possibility to create the second dn:,
since it will contain the same uid value as the first one?
If each 'john' account exists in a distinct identifiable namespace then
you could either put the name of the namespace in the account entry or
you could use it as part of the LDAP hierachy. The application can
then formulate a search that finds the correct entry in one operation.
I was thinking to use sn: attribute since it is login dedicated dn: and
it is no need in it
but all the same, my question remains oppened: how to not to create not
unique uid for dn: authorizedService=target-service,uid= ?
have I put in into UI for records management or it can be done on the
server side (for example like indexes in SQL)