Javier Borrajo wrote:
>
> > The RDBMS table needs to have some primary key to begin with, you just
> > need to put that primary key in LDAP. I don't see that as being
> > replication.
> >
> > Where it's user id (my recommendation), or any other identifier is up to
> > you. And yes, if your table has a counter primary key you can put that
> > counter in LDAP (you can always add new attributes to your LDAP server).
>
> So when the app creates a new user it inserts a new entry into both
> LDAP and into a table in the DB, maybe "user distingished name" (DN)
> into table USERS...
Precisely. Keep in mind the synchronization is not supported, i.e. you
can remove a user record from the RDBMS or LDAP without alerting the
other. Although LDAP does have a notification mechanism, for various
reasons (no time to explain) don't build on it.
So, look up in LDAP first, authenticate the user, if it's not there
assume it's also not in the RDBMS. Then look at the RDMBS if the user is
not there, perhaps create a default record.
As for what keys to use, you have to approaches:
* One the full DN from LDAP. This is the correct approach if your
database attempts to support multiple domains.
* Use just the CN (or UID) from LDAP. This is more efficient, but only
works if you have one domain in your LDAP server.
<ldap>
Traditional LDAP documentation from the X.500 days recommends specifying
DNs as:
CN=<full name>,OU=<department>,O=<organization>,c=<country>
This scheme worked well in the X.500 days, but organizations now tend to
perfer a more DNS-based approach which solves problems like, what
happens if two users have the same name, and how to I map O/C to my
domain names. And what happens when people stay in the same company but
change their department.
A new scheme is devised which is documented in an IETF RFC, but not that
well known:
UID=<unique id>,O=People,DC=<domain>
The assumption is that a unique identifier always exists, e.g. the email
address (smith.johns.1 or johns1 vs. John Smith) and that the company
has a domain name. Under the new scheme, my DN would be:
UID=arkin,O=People,DC=exoffice,DC=com
</ldap>
arkin
>
> Javier
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
----------------------------------------------------------------------
Assaf Arkin www.exoffice.com
CTO, Exoffice Technologies, Inc. www.exolab.org
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
