Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
... You would end up creating two new attributes for each service type, and OpenLDAP would still not check the passwords for you in a useful way.
Better method: Create a sub-entry below the user entry for each service. The service-specific entry can use the standard 'uid' and 'userPassword' attributes, and you just need to make sure that each service includes the authorizedService attribute when searching for the entry to authenticate. ...
is there way to avoid target service uid clashing in this case?
lets say I have two users with name John and I need to give each one acces to some service, but both of them wish the service uid=john (for example, it is common issue for MTA serving different mail domains with different user space for each one)
so what is needed to provide uniqueness of attribute `uid' for each
dn: authorizedService=target-service,uid=target-user,ou=People,dc=org
is it possible to do that inside OpenLDAP or have it to be performed via something like analyzing the output of
ldapsearch ... "(&(uid=target-user)(authorizedService=target-service))" dn