gennaro.tortone@xxxxxxxxxx wrote:
Hi,
ok,
suppose a company has various site in the world,
and each site has its own LDAP Directory in order to authenticate
local users (e.g. Fedora Directory Server)
now,
suppose that this company has a set of "collective services"
(e.g. mailing lists, web portal, ...) available to all sites;
I study a solution to provide a "global autentication" for all users
of this company that authenticate themself to use "collective services";
The solution I'm studing is based on Oracle Virtual Directory;
this software aggregates various LDAP datasources and publish
them in a global LDAP tree:
As example:
SITE 1
------
authentication server: fds-auth.site1.company.com
site1 users basedn: ou=People,dc=site1,dc=company,dc=com
SITE 2
------
authentication server: fds-auth.site2.company.com
site2 users basedn: ou=People,dc=site2,dc=company,dc=com
VIRTUAL DIRECTORY
-----------------
aggregates users from:
- ou=People,dc=site1,dc=company,dc=com
- ou=People,dc=site2,dc=company,dc=com
in a "virtual LDAP server" under the basedn:
- ou=People,dc=company,dc=com
If the company has an Apache webserver available to all site,
it should be possible to use the Virtual Directory Server
as authentication source for all users;
but the problem is:
each site LDAP tree is merged on a single _virtual_ LDAP tree...
Aye, there's the rub. This really boils down to an application problem. Each application doing authentication against the DS (apache, pam, etc.) needs to be able to specify a unique attribute during login (e.g. have to type in the email address at the login prompt rather than a uid).what happen if there are two users on two different sites with the same "uid=..." ?
You can still easily allow uid for some logins if your application is site specific and you will never have anyone from another site try to login - e.g. for all machines in the site1.company.com domain, you can configure PAM to lookup uid's under dc=site1,dc=company,dc=com. But as soon as you want to allow users from other sites to login, you can no longer use uid.
I don't know if there is a way to tell PAM to do a multi stage lookup e.g.First, look for uid under dc=site1. If that fails, look for uid under dc=company. If that fails, or returns multiple entries, look for email under dc=company.
ok, we can use a _natively_ unique attributes like "mail" to publish DN for each users; then the users "smith": - uid=smith,ou=People,dc=site1,dc=company,dc=com will be: - mail=smith@xxxxxxxxxxxxxxxxx,ou=People,dc=site1,dc=company,dc=com" (this is a simple changing of DN naming attributes on Fedora Console for the user "smith") but this _quick_ solution create a problem on local site that use, as example, PAM on their Linux systems; with this change the account that "smith" uses to log in will be changed in "smith@xxxxxxxxxxxxxxxxx"then I'm looking for a way to have different DN for the same user entry...(or for a different solution....) Regards, On Thu, 5 Oct 2006, Morris, Patrick wrote:I'm setting up a Fedora Directory Server for user authentication; Currently users are stored as the following: dn: uid=user01,ou=People,dc=na,dc=infn,dc=it <entry of user01> dn: uid=user02,ou=People,dc=na,dc=infn,dc=it <entry of user02> Is it possible to publish each user entry as: dn: uid=user01,ou=People,dc=na,dc=infn,dc=it <entry of user01> and also with: dn: email=user01@xxxxxxxxx,ou=People,dc=na,dc=infn,dc=it <entry of user01>While it's theoretically possible using something like aliased records, DNs are, by definition, a single specifier per entry. What exectly are you trying to accomplish? Are you sure you need multiple DNs per entry? -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
