On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote:
To: Andrew Findlay andrew.findlay@skills-1st.co.uk
Please keep replies on the list so that they become searchable and everyone can benefit.
here is the diagram depicting what I am thinking about while talking :)
https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png
I dedicate these DN-s for services, so each such DN *can and supposed to* use any (in theory) uid in the entry, the user can ask for
Do you reall want every user account on every service to have a different username? (i.e. the user cannot request to be known as 'fred' on both the SMTP service and the IMAP service?
in particular, I do not see another way to authenticate users of different domains(for email)/realms(for xmpp) against the same LDAP DB
That depends on how you provide the services. If the network address of the services used by domain-A users is different from that used by domain-B users then the server processes will know which domain they are serving. If the same network address is used to serve all domains then you do indeed require the uids to be unique across domains (but you probably do want to let fred@x.y.com use that ID for all services).
It may be enough for you to simply prevent the non-uniqueness. You can do that using the 'unique' overlay:
mmm ... will not it prevent non-uniqueness only for parent DN-s? while what I'm trying to ask (I'm sorry for muddled up explanation what I mean) about is - uniqueness for the uid *in* the entry ... so, the uniqueness of the attribute `uid' among all DN-s containing authorizedService=target-service
You could do that if you are prepared to have one config line for each service. Something like:
overlay unique unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH)
Andrew