[Fedora-directory-users] multiple naming attributes in DN

gennaro.tortone@na.infn.it tortone at na.infn.it
Thu Oct 5 13:07:14 UTC 2006 

Hi,

ok,
suppose a company has various site in the world,
and each site has its own LDAP Directory in order to authenticate
local users (e.g. Fedora Directory Server)

now,
suppose that this company has a set of "collective services"
(e.g. mailing lists, web portal, ...) available to all sites;

I study a solution to provide a "global autentication" for all users
of this company that authenticate themself to use "collective services";

The solution I'm studing is based on Oracle Virtual Directory;
this software aggregates various LDAP datasources and publish
them in a global LDAP tree:

As example:

SITE 1
------
authentication server: 	fds-auth.site1.company.com
site1 users basedn:	ou=People,dc=site1,dc=company,dc=com

SITE 2
------
authentication server:	fds-auth.site2.company.com
site2 users basedn:	ou=People,dc=site2,dc=company,dc=com

VIRTUAL DIRECTORY
-----------------

aggregates users from:
 	- ou=People,dc=site1,dc=company,dc=com
 	- ou=People,dc=site2,dc=company,dc=com

in a "virtual LDAP server" under the basedn:
 	- ou=People,dc=company,dc=com

If the company has an Apache webserver available to all site,
it should be possible to use the Virtual Directory Server
as authentication source for all users;

but the problem is:
each site LDAP tree is merged on a single _virtual_ LDAP tree...
what happen if there are two users on two different sites
with the same "uid=..." ?

ok,
we can use a _natively_ unique attributes like "mail" to
publish DN for each users; then the users "smith":

- uid=smith,ou=People,dc=site1,dc=company,dc=com

will be:

- mail=smith at site1.company.com,ou=People,dc=site1,dc=company,dc=com"

(this is a simple changing of DN naming attributes on Fedora Console
  for the user "smith")

but this _quick_ solution create a problem on local site that use, as
example, PAM on their Linux systems; with this change the account
that "smith" uses to log in will be changed in "smith at site1.company.com"

then I'm looking for a way to have different DN for the same user entry...
(or for a different solution....)

Regards,

On Thu, 5 Oct 2006, Morris, Patrick wrote:

>> I'm setting up a Fedora Directory Server for user authentication;
>>
>> Currently users are stored as the following:
>>
>> 	dn: uid=user01,ou=People,dc=na,dc=infn,dc=it
>> 		<entry of user01>
>>
>> 	dn: uid=user02,ou=People,dc=na,dc=infn,dc=it
>>                 <entry of user02>
>>
>> Is it possible to publish each user entry as:
>>
>> 	dn: uid=user01,ou=People,dc=na,dc=infn,dc=it
>>                 <entry of user01>
>>
>> and also with:
>>
>> 	dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it
>>                 <entry of user01>
>
> While it's theoretically possible using something like aliased records,
> DNs are, by definition, a single specifier per entry.
>
> What exectly are you trying to accomplish?  Are you sure you need
> multiple DNs per entry?
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

-- 
Gennaro Tortone
INFN Napoli
Italy
tel: +39 81 676169

"Computer Science is no more about computers
     than astronomy is about telescopes."
     - Edsger Dijkstra

More information about the Fedora-directory-users mailing list