[prev in list] [next in list] [prev in thread] [next in thread]
List: ldap
Subject: [ldap] Supporting N accounts for 1 person
From: "Dustin Puryear" <dustin () puryear-it ! com>
Date: 2006-01-18 21:04:36
Message-ID: 016901c61c73$368ec1e0$6702a8c0 () wec ! wnet
[Download RAW message or body]
We have an existing network where a single person may have several accounts.
This will not go away for quite some time, so I have to support what we have
now, rather than forcing the entire company to move to 1 user 1 account.
I am wondering how to best support this using LDAP.
Right now we have the following structure in place:
ou=People,root
ou=Accounts,root
Each human being goes into ou=People,root. For each account that the person
owns we create the account under ou=Accounts,root with a seeAlso between the
account and the person entry. So a single person may actually own these
entries:
companyUniqueID=bob,ou=People,root
* seeAlso: uid=abc,ou=Accounts,root
* seeAlso: uid=efg,ou=Accounts,root
* companyUniqueID: bob
* userPasswd: 123
uid=abc,ou=Accounts,root
* seeAlso: companyUniqueID=bob,ou=People,root
* uid: abc
* userPasswd: 456
uid=efg,ou=Accounts,root
* seeAlso: companyUniqueID=bob,ou=People,root
* uid: efg
* userPasswd: 789
This is all maintained by a provisioning system, so it's not a hassle for us
really, but still. It's kind of messy.
Ideas on improving this solution?
What I'd like to see is a single entry owned by a user like so:
companyUniqueID=bob,ou=People,root
* seeAlso: uid=abc,ou=Accounts,root
* seeAlso: uid=efg,ou=Accounts,root
* companyUniqueID: bob
* userPasswd: 123
uid=abc,ou=Accounts,root
* Alias: companyUniqueID=bob,ou=People,root
uid=efg,ou=Accounts,root
* Alias: companyUniqueID=bob,ou=People,root
For this to work we need two things:
1. Each app has to know to deref any aliases. I've noticed a lot of apps
don't do this by default. Thoughts?
2. Our directory, CA DXserver, uses the aliased entry's password for auth
(in this case, userPasswd: 123). Any ideas on how to support multiple
passwords this way? If anyone uses CA DXserver, do you have any ideas
specific to that product? Perhaps, by overriding the default behaviour if an
alias entry has its own userPasswd defined.
Just putting this out there for any ideas.
Thanks!
---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com
Author of "Best Practices for Managing Linux and UNIX Servers"
Download your free copy:
http://www.puryear-it.com/bestpractices.htm
---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic