--On Tuesday, February 16, 2016 4:00 PM +0100 Marc Patermann
<hans.moser@ofd-z.niedersachsen.de> wrote:
Am 16.02.2016 um 14:56 Uhr schrieb Mary Kao:
I have very simple requirements for "users" e.g. representative of user
accounts with userid and password.
a "user" for "authentication" in LDAP ist mostly an object you can bind
to.
The easiest way to bind to an LDAP server is "simple" bind, by which you
send the DN of the object and the password.
In this case the object has a password field - userpassword.
So choose an objectclass with userpassword - i.e. inetorgperson - and
create an object with this.
I generally dislike the fact people just tend to default to
inetOrgPerson.
That objectClass is to be used for a person, not
accounts, which is what it appears Mary is talking about. A person may
have multiple accounts (i.e., there is NOT a 1:1 mapping of between a
person and an account). For example, at a previous job, where we
deployed with an understanding of the difference, I had a single person
account, and multiple account objects (my general account, my test
account, my root principle account (we used kerberos)), etc. There may
be a number of reasons why a given individual may have more than one
account. We used the seeAlso attribute to provide a pointer between
account(s) and the person.