On Fri, Aug 09, 2013 at 01:20:55PM +0300, Zeus Panchenko wrote:
is there way to avoid target service uid clashing in this case?
lets say I have two users with name John and I need to give each one acces to some service, but both of them wish the service uid=john (for example, it is common issue for MTA serving different mail domains with different user space for each one)
The first question to ask is how the application is going to tell the difference between the two users when someone tries to login as 'john'.
If the users are john@a.b.com and john@x.y.org then why not use the full mail address as the uid?
so what is needed to provide uniqueness of attribute `uid' for each
dn: authorizedService=target-service,uid=target-user,ou=People,dc=org
If each 'john' account exists in a distinct identifiable namespace then you could either put the name of the namespace in the account entry or you could use it as part of the LDAP hierachy. The application can then formulate a search that finds the correct entry in one operation.
Namespace in account:
Search base: ou=People,dc=org Search filter: "(&(uid=target-user)(namespace=x.y.com)(authorizedService=target-service))"
Namespace in hierachy:
Search base: ou=People,namespace=x.y.com,dc=org Search filter: "(&(uid=target-user)(authorizedService=target-service))"
[ 'namespace' is used as an example here. There is no such attribute type in the standard schema ]
Andrew