[Fedora-directory-users] multiple naming attributes in DN

Richard Megginson rmeggins at redhat.com
Thu Oct 5 14:05:59 UTC 2006 

gennaro.tortone at na.infn.it wrote:
>
> Hi,
>
> ok,
> suppose a company has various site in the world,
> and each site has its own LDAP Directory in order to authenticate
> local users (e.g. Fedora Directory Server)
>
> now,
> suppose that this company has a set of "collective services"
> (e.g. mailing lists, web portal, ...) available to all sites;
>
> I study a solution to provide a "global autentication" for all users
> of this company that authenticate themself to use "collective services";
>
> The solution I'm studing is based on Oracle Virtual Directory;
> this software aggregates various LDAP datasources and publish
> them in a global LDAP tree:
>
> As example:
>
> SITE 1
> ------
> authentication server:     fds-auth.site1.company.com
> site1 users basedn:    ou=People,dc=site1,dc=company,dc=com
>
> SITE 2
> ------
> authentication server:    fds-auth.site2.company.com
> site2 users basedn:    ou=People,dc=site2,dc=company,dc=com
>
> VIRTUAL DIRECTORY
> -----------------
>
> aggregates users from:
>     - ou=People,dc=site1,dc=company,dc=com
>     - ou=People,dc=site2,dc=company,dc=com
>
> in a "virtual LDAP server" under the basedn:
>     - ou=People,dc=company,dc=com
>
> If the company has an Apache webserver available to all site,
> it should be possible to use the Virtual Directory Server
> as authentication source for all users;
>
> but the problem is:
> each site LDAP tree is merged on a single _virtual_ LDAP tree...
Why do you need to have everyone under a single ou=People under 
dc=company,dc=com?  Unless I misunderstand something, almost all 
authentication apps should be able search for a unique attribute under 
dc=company,dc=com that has two or more dc=siteX under it.
> what happen if there are two users on two different sites
> with the same "uid=..." ?
Aye, there's the rub.  This really boils down to an application 
problem.  Each application doing authentication against the DS (apache, 
pam, etc.) needs to be able to specify a unique attribute during login 
(e.g. have to type in the email address at the login prompt rather than 
a uid).

You can still easily allow uid for some logins if your application is 
site specific and you will never have anyone from another site try to 
login - e.g. for all machines in the site1.company.com domain, you can 
configure PAM to lookup uid's under dc=site1,dc=company,dc=com.  But as 
soon as you want to allow users from other sites to login, you can no 
longer use uid.

I don't know if there is a way to tell PAM to do a multi stage lookup e.g.
First, look for uid under dc=site1.  If that fails, look for uid under 
dc=company.  If that fails, or returns multiple entries, look for email 
under dc=company.
>
> ok,
> we can use a _natively_ unique attributes like "mail" to
> publish DN for each users; then the users "smith":
>
> - uid=smith,ou=People,dc=site1,dc=company,dc=com
>
> will be:
>
> - mail=smith at site1.company.com,ou=People,dc=site1,dc=company,dc=com"
>
> (this is a simple changing of DN naming attributes on Fedora Console
>  for the user "smith")
>
> but this _quick_ solution create a problem on local site that use, as
> example, PAM on their Linux systems; with this change the account
> that "smith" uses to log in will be changed in "smith at site1.company.com"
>
> then I'm looking for a way to have different DN for the same user 
> entry...
> (or for a different solution....)
>
> Regards,
>
> On Thu, 5 Oct 2006, Morris, Patrick wrote:
>
>>> I'm setting up a Fedora Directory Server for user authentication;
>>>
>>> Currently users are stored as the following:
>>>
>>>     dn: uid=user01,ou=People,dc=na,dc=infn,dc=it
>>>         <entry of user01>
>>>
>>>     dn: uid=user02,ou=People,dc=na,dc=infn,dc=it
>>>                 <entry of user02>
>>>
>>> Is it possible to publish each user entry as:
>>>
>>>     dn: uid=user01,ou=People,dc=na,dc=infn,dc=it
>>>                 <entry of user01>
>>>
>>> and also with:
>>>
>>>     dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it
>>>                 <entry of user01>
>>
>> While it's theoretically possible using something like aliased records,
>> DNs are, by definition, a single specifier per entry.
>>
>> What exectly are you trying to accomplish?  Are you sure you need
>> multiple DNs per entry?
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20061005/3199fec6/attachment.bin>

More information about the 389-users mailing list