On Fri, Aug 09, 2013 at 01:20:55PM +0300, Zeus Panchenko wrote: > is there way to avoid target service uid clashing in this case? > > lets say I have two users with name John and I need to give each one > acces to some service, but both of them wish the service uid=john (for > example, it is common issue for MTA serving different mail domains with > different user space for each one)
The first question to ask is how the application is going to tell the difference between the two users when someone tries to login as 'john'. If the users are [email protected] and [email protected] then why not use the full mail address as the uid? > so what is needed to provide uniqueness of attribute `uid' for each > > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org If each 'john' account exists in a distinct identifiable namespace then you could either put the name of the namespace in the account entry or you could use it as part of the LDAP hierachy. The application can then formulate a search that finds the correct entry in one operation. Namespace in account: Search base: ou=People,dc=org Search filter: "(&(uid=target-user)(namespace=x.y.com)(authorizedService=target-service))" Namespace in hierachy: Search base: ou=People,namespace=x.y.com,dc=org Search filter: "(&(uid=target-user)(authorizedService=target-service))" [ 'namespace' is used as an example here. There is no such attribute type in the standard schema ] Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
