Re: LDAP Per domain

"Kuon" <kuon@xxxxxxxxxx> wrote in message
news:bb469$45538205$d9903206$27880@xxxxxxxxxxxxxxxxxx
Hello,

I currently have a server cluster configured to use ldap for auth.

Everything is working well.

Except that we want to allow multiple domain auth on our cluster.

We have an ldap schema like this:

uid=userA,ou=People,ou=companyA,ou=People,dc=mycompany,dc=com

Solaris is configured with base as ou=People,dc=mycompany,dc=com and scope
sub.

As long as the uid is unique across all domain (companyA in the above
example), everything will be working fine. But we want to allow user in
different domain to have the same uid (not speaking of solaris uid
(numeric one) which can easily be unique).

The ideal solution would be to have a login like userA-companyA.com, but
how could I map this to uid=userA,ou=People,ou=companyA on my ldap server?

Regards
--
Kuon
CEO - Goyman.com SA
http://www.goyman.com/

"Computers should not stop working when the users' brain does."

There is a solution to your problem but it does involve giving everyone a
unique ID. If two userA exist, or two with the same uidNumber attribute
exist then you have a big security issue. You likely don't want to deal
with that issue.

Thus you have to give unique text and uidNumbers to everyone.

The following:

1) Change your ldapclient search scope to cover all users in the
directory.
2) Create a custom attribute, lets call it uidPosix.
3) Populate all uidPosix attributes with unique text IDs, like
"unixPosix=userA-companyA"
4) Make sure these same users have posixAccount and shadowAccount
information, withinique numbers in uidNumber
5) Change the clients attribute map to something like: "attribute:
passwd:uid=posixUser". To do this see "man ldapclient".
6) Let the users know they have to logon with the company name at the end
of their ID.

A note about 3 above, while it should work it is customary to keep them to 8
or less. Some programs could have problems with more than 8. So as always,
it does not work until tested.

In a nutshell this works as you don't have to use the LDAP uid as the UNIX
UID. Step 5 is the secret sauce.

Dave


.

Relevant Pages

  • Re: Problems setting up Samba+LDAP PDC in Debian Sarge
    ... > I have been struggling to get working a PDC using Samba with LDAP ... > Integration test, when I added an admin user, got it on the "Domain ... > uid: Administrator ... > uidNumber: 998 ...
    (Debian-User)
  • Re: LDAP Per domain
    ... also index the uidPosix attribute or it will be slooowwww. ... I currently have a server cluster configured to use ldap for auth. ... As long as the uid is unique across all domain (companyA in the above ...
    (comp.unix.solaris)
  • LDAP Authentication
    ... basic user authorization against a NON Microsoft V3 LDAP ... public bool authenticateUser(String uid, String pw) ... There is no such object on the server ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Systembenutzer (0-1000) aus LDAP
    ... kann man das lösen wenn die gleiche uid zb. 100 auf dem einem System ... Benutzer mysql und auf einem anderen dem Benutzer sshd gehört? ... Allerdings würde ich UID 0 nicht im LDAP haben wollen. ...
    (de.comp.os.unix.linux.misc)
  • LDAP per domain
    ... I currently have a server cluster configured to use ldap for auth. ... Except that we want to allow multiple domain auth on our cluster. ... But we want to allow user in different domain to have the same uid (not speaking of solaris uid (numeric one) which can easily be unique). ...
    (comp.sys.sun.admin)