Just crazy idea...
several attributes for user passwords (userPassword1, userPassword2, ...) in user account and proxy-mapping overlay (slapo-translucent? slapo-rwm?) with mapping attribute userPassword into userPassword1 or userPassword2 with dependencies from service IP.
WBR
On 09.08.2013 17:17, Zeus Panchenko wrote:
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
lets say I have two users with name John and I need to give each one acces to some service, but both of them wish the service uid=john (for example, it is common issue for MTA serving different mail domains with different user space for each one)
The first question to ask is how the application is going to tell the difference between the two users when someone tries to login as 'john'.
If the users are john@a.b.com and john@x.y.org then why not use the full mail address as the uid?
yes, it is what I was thought about too and I like the idea, though I wanted to check how correct/right is this way
so what is needed to provide uniqueness of attribute `uid' for each dn: authorizedService=target-service,uid=target-user,ou=People,dc=org
perhaps I need to define more accurately what I mean:
the uniqueness while *creating* the dn ... since for dn-s
dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org ... dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org
I want to prevent the possibility to create the same uid=john-whatever-format-it-is
now I do can ldapadd these ldif-s successfully ---[ ldif ]------------------------------------------------------------ dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org cn: john.doe@xmpp.org sn: xmpp.org description: John Doe XMPP account at xmpp.org uidNumber: 12345 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john
dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org authorizedService: xmpp.org cn: john.smith@xmpp.org sn: xmpp.org description: John Smith XMPP account at xmpp.org uidNumber: 12356 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john ---[ ldif ]------------------------------------------------------------
and
ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))"
outputs both of them, so I need the way I can know that uid: is not unique while creating the dn:
so, what I need to prevent the possibility to create the second dn:, since it will contain the same uid value as the first one?
If each 'john' account exists in a distinct identifiable namespace then you could either put the name of the namespace in the account entry or you could use it as part of the LDAP hierachy. The application can then formulate a search that finds the correct entry in one operation.
I was thinking to use sn: attribute since it is login dedicated dn: and it is no need in it
but all the same, my question remains oppened: how to not to create not unique uid for dn: authorizedService=target-service,uid= ?
have I put in into UI for records management or it can be done on the server side (for example like indexes in SQL)