gennaro.tortone at na.infn.it wrote: > > Hi, > > ok, > suppose a company has various site in the world, > and each site has its own LDAP Directory in order to authenticate > local users (e.g. Fedora Directory Server) > > now, > suppose that this company has a set of "collective services" > (e.g. mailing lists, web portal, ...) available to all sites; > > I study a solution to provide a "global autentication" for all users > of this company that authenticate themself to use "collective services"; > > The solution I'm studing is based on Oracle Virtual Directory; > this software aggregates various LDAP datasources and publish > them in a global LDAP tree: > > As example: > > SITE 1 > ------ > authentication server: fds-auth.site1.company.com > site1 users basedn: ou=People,dc=site1,dc=company,dc=com > > SITE 2 > ------ > authentication server: fds-auth.site2.company.com > site2 users basedn: ou=People,dc=site2,dc=company,dc=com > > VIRTUAL DIRECTORY > ----------------- > > aggregates users from: > - ou=People,dc=site1,dc=company,dc=com > - ou=People,dc=site2,dc=company,dc=com > > in a "virtual LDAP server" under the basedn: > - ou=People,dc=company,dc=com > > If the company has an Apache webserver available to all site, > it should be possible to use the Virtual Directory Server > as authentication source for all users; > > but the problem is: > each site LDAP tree is merged on a single _virtual_ LDAP tree... Why do you need to have everyone under a single ou=People under dc=company,dc=com? Unless I misunderstand something, almost all authentication apps should be able search for a unique attribute under dc=company,dc=com that has two or more dc=siteX under it. > what happen if there are two users on two different sites > with the same "uid=..." ? Aye, there's the rub. This really boils down to an application problem. Each application doing authentication against the DS (apache, pam, etc.) needs to be able to specify a unique attribute during login (e.g. have to type in the email address at the login prompt rather than a uid). You can still easily allow uid for some logins if your application is site specific and you will never have anyone from another site try to login - e.g. for all machines in the site1.company.com domain, you can configure PAM to lookup uid's under dc=site1,dc=company,dc=com. But as soon as you want to allow users from other sites to login, you can no longer use uid. I don't know if there is a way to tell PAM to do a multi stage lookup e.g. First, look for uid under dc=site1. If that fails, look for uid under dc=company. If that fails, or returns multiple entries, look for email under dc=company. > > ok, > we can use a _natively_ unique attributes like "mail" to > publish DN for each users; then the users "smith": > > - uid=smith,ou=People,dc=site1,dc=company,dc=com > > will be: > > - mail=smith at site1.company.com,ou=People,dc=site1,dc=company,dc=com" > > (this is a simple changing of DN naming attributes on Fedora Console > for the user "smith") > > but this _quick_ solution create a problem on local site that use, as > example, PAM on their Linux systems; with this change the account > that "smith" uses to log in will be changed in "smith at site1.company.com" > > then I'm looking for a way to have different DN for the same user > entry... > (or for a different solution....) > > Regards, > > On Thu, 5 Oct 2006, Morris, Patrick wrote: > >>> I'm setting up a Fedora Directory Server for user authentication; >>> >>> Currently users are stored as the following: >>> >>> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >>> <entry of user01> >>> >>> dn: uid=user02,ou=People,dc=na,dc=infn,dc=it >>> <entry of user02> >>> >>> Is it possible to publish each user entry as: >>> >>> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >>> <entry of user01> >>> >>> and also with: >>> >>> dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it >>> <entry of user01> >> >> While it's theoretically possible using something like aliased records, >> DNs are, by definition, a single specifier per entry. >> >> What exectly are you trying to accomplish? Are you sure you need >> multiple DNs per entry? >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20061005/3199fec6/attachment.bin
