On Thu, Aug 01, 2013 at 10:41:25AM +0300, Zeus Panchenko wrote:
I need to set separate credentials for each service I provide (optionally) to my users
That seems perverse - most of us work hard to *reduce* the number of different usernames and passwords that each person has to use!
I think of something like this:
dn: uid=target-user,ou=People,dc=ibs userPassword: ****** ... authorizedService: xmpp authorizedService: smtp authorizedService: pop authorizedService: imap authorizedService: mail ... loginSMTP: mail-send-login passwSMTP: xxx loginPOP3: mail-get-login passwPOP3: yyy ... loginXMPP: login-xmpp passwXMPP: zzz
You would end up creating two new attributes for each service type, and OpenLDAP would still not check the passwords for you in a useful way.
Better method: Create a sub-entry below the user entry for each service. The service-specific entry can use the standard 'uid' and 'userPassword' attributes, and you just need to make sure that each service includes the authorizedService attribute when searching for the entry to authenticate. Something like this:
dn: uid=target-user,ou=People,dc=ibs uid: target-user cn: sn:
dn: authorizedService=smtp,uid=target-user,ou=People,dc=ibs authorizedService: smtp uid: mail-send-login userPassword: ******
dn: authorizedService=pop3,uid=target-user,ou=People,dc=ibs authorizedService: pop3 uid: mail-get-login userPassword: ******
Your SMTP server would issue searches of the form:
(&(uid=USERNAME)(authorizedService=smtp))
Your POP3 server would issue searches of the form:
(&(uid=USERNAME)(authorizedService=pop3))
Andrew