Andrew Findlay <andrew.find...@skills-1st.co.uk> wrote: > > lets say I have two users with name John and I need to give each one > > acces to some service, but both of them wish the service uid=john (for > > example, it is common issue for MTA serving different mail domains with > > different user space for each one) > > The first question to ask is how the application is going to tell the > difference between the two users when someone tries to login as 'john'. > > If the users are j...@a.b.com and j...@x.y.org then why not use the > full mail address as the uid? >
yes, it is what I was thought about too and I like the idea, though I wanted to check how correct/right is this way > > so what is needed to provide uniqueness of attribute `uid' for each > > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org perhaps I need to define more accurately what I mean: the uniqueness while *creating* the dn ... since for dn-s dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org ... dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org I want to prevent the possibility to create the same uid=john-whatever-format-it-is now I do can ldapadd these ldif-s successfully ---[ ldif ]------------------------------------------------------------ dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org cn: john....@xmpp.org sn: xmpp.org description: John Doe XMPP account at xmpp.org uidNumber: 12345 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org authorizedService: xmpp.org cn: john.sm...@xmpp.org sn: xmpp.org description: John Smith XMPP account at xmpp.org uidNumber: 12356 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john ---[ ldif ]------------------------------------------------------------ and ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))" outputs both of them, so I need the way I can know that uid: is not unique while creating the dn: so, what I need to prevent the possibility to create the second dn:, since it will contain the same uid value as the first one? > If each 'john' account exists in a distinct identifiable namespace then > you could either put the name of the namespace in the account entry or > you could use it as part of the LDAP hierachy. The application can > then formulate a search that finds the correct entry in one operation. I was thinking to use sn: attribute since it is login dedicated dn: and it is no need in it but all the same, my question remains oppened: how to not to create not unique uid for dn: authorizedService=target-service,uid= ? have I put in into UI for records management or it can be done on the server side (for example like indexes in SQL) -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)