'[ldap] Supporting N accounts for 1 person'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Supporting N accounts for 1 person
From:       "Dustin Puryear" <dustin () puryear-it ! com>
Date:       2006-01-18 21:04:36
Message-ID: 016901c61c73$368ec1e0$6702a8c0 () wec ! wnet
[Download RAW message or body]

We have an existing network where a single person may have several accounts.
This will not go away for quite some time, so I have to support what we have
now, rather than forcing the entire company to move to 1 user 1 account.

I am wondering how to best support this using LDAP.

Right now we have the following structure in place:

ou=People,root
ou=Accounts,root

Each human being goes into ou=People,root. For each account that the person
owns we create the account under ou=Accounts,root with a seeAlso between the
account and the person entry. So a single person may actually own these
entries:

companyUniqueID=bob,ou=People,root
 * seeAlso: uid=abc,ou=Accounts,root
 * seeAlso: uid=efg,ou=Accounts,root
 * companyUniqueID: bob
 * userPasswd: 123

uid=abc,ou=Accounts,root
 * seeAlso: companyUniqueID=bob,ou=People,root
 * uid: abc
 * userPasswd: 456

uid=efg,ou=Accounts,root
 * seeAlso: companyUniqueID=bob,ou=People,root
 * uid: efg
 * userPasswd: 789

This is all maintained by a provisioning system, so it's not a hassle for us
really, but still. It's kind of messy.

Ideas on improving this solution?

What I'd like to see is a single entry owned by a user like so:

companyUniqueID=bob,ou=People,root
 * seeAlso: uid=abc,ou=Accounts,root
 * seeAlso: uid=efg,ou=Accounts,root
 * companyUniqueID: bob
 * userPasswd: 123

uid=abc,ou=Accounts,root
 * Alias: companyUniqueID=bob,ou=People,root

uid=efg,ou=Accounts,root
 * Alias: companyUniqueID=bob,ou=People,root

For this to work we need two things:

1. Each app has to know to deref any aliases. I've noticed a lot of apps
don't do this by default. Thoughts?

2. Our directory, CA DXserver, uses the aliased entry's password for auth
(in this case, userPasswd: 123). Any ideas on how to support multiple
passwords this way? If anyone uses CA DXserver, do you have any ideas
specific to that product? Perhaps, by overriding the default behaviour if an
alias entry has its own userPasswd defined.

Just putting this out there for any ideas.

Thanks!

---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Author of "Best Practices for Managing Linux and UNIX Servers"
Download your free copy:
http://www.puryear-it.com/bestpractices.htm


---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic