Hi, ok, suppose a company has various site in the world, and each site has its own LDAP Directory in order to authenticate local users (e.g. Fedora Directory Server) now, suppose that this company has a set of "collective services" (e.g. mailing lists, web portal, ...) available to all sites; I study a solution to provide a "global autentication" for all users of this company that authenticate themself to use "collective services"; The solution I'm studing is based on Oracle Virtual Directory; this software aggregates various LDAP datasources and publish them in a global LDAP tree: As example: SITE 1 ------ authentication server: fds-auth.site1.company.com site1 users basedn: ou=People,dc=site1,dc=company,dc=com SITE 2 ------ authentication server: fds-auth.site2.company.com site2 users basedn: ou=People,dc=site2,dc=company,dc=com VIRTUAL DIRECTORY ----------------- aggregates users from: - ou=People,dc=site1,dc=company,dc=com - ou=People,dc=site2,dc=company,dc=com in a "virtual LDAP server" under the basedn: - ou=People,dc=company,dc=com If the company has an Apache webserver available to all site, it should be possible to use the Virtual Directory Server as authentication source for all users; but the problem is: each site LDAP tree is merged on a single _virtual_ LDAP tree... what happen if there are two users on two different sites with the same "uid=..." ? ok, we can use a _natively_ unique attributes like "mail" to publish DN for each users; then the users "smith": - uid=smith,ou=People,dc=site1,dc=company,dc=com will be: - mail=smith at site1.company.com,ou=People,dc=site1,dc=company,dc=com" (this is a simple changing of DN naming attributes on Fedora Console for the user "smith") but this _quick_ solution create a problem on local site that use, as example, PAM on their Linux systems; with this change the account that "smith" uses to log in will be changed in "smith at site1.company.com" then I'm looking for a way to have different DN for the same user entry... (or for a different solution....) Regards, On Thu, 5 Oct 2006, Morris, Patrick wrote: >> I'm setting up a Fedora Directory Server for user authentication; >> >> Currently users are stored as the following: >> >> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >> <entry of user01> >> >> dn: uid=user02,ou=People,dc=na,dc=infn,dc=it >> <entry of user02> >> >> Is it possible to publish each user entry as: >> >> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >> <entry of user01> >> >> and also with: >> >> dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it >> <entry of user01> > > While it's theoretically possible using something like aliased records, > DNs are, by definition, a single specifier per entry. > > What exectly are you trying to accomplish? Are you sure you need > multiple DNs per entry? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Gennaro Tortone INFN Napoli Italy tel: +39 81 676169 "Computer Science is no more about computers than astronomy is about telescopes." - Edsger Dijkstra
