Re: separate login/password for several services?
On Fri, Sep 27, 2013 at 10:16:43PM +0200, Michael Ströder wrote: > Did not follow this thread closely. But one should be aware of ITS#6825 when > planning to use slapo-unique for a more complex setup. > > unique_uri filter reaching beyond its intended target > http://www.openldap.org/its/index.cgi?findid=6825 Good point. We started with these ACLs: > > overlay unique > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) so that bug will prevent modifications to the authority entries even though adds will be processed OK. I cannot think of an easy workaround in this case :-( Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
Andrew Findlay wrote: > That should already be covered by the unique overlay setup. Did not follow this thread closely. But one should be aware of ITS#6825 when planning to use slapo-unique for a more complex setup. unique_uri filter reaching beyond its intended target http://www.openldap.org/its/index.cgi?findid=6825 Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: separate login/password for several services?
On Fri, Sep 27, 2013 at 02:25:24PM +0300, Zeus Panchenko wrote: > have I create dedicated object like: > dn: authorizedService=YYY,uid=AAA,dc=ZZZ > > before configuring the service for the user like: > dn: uid=XXX,authorizedService=YYY,uid=AAA,dc=ZZZ > > or the second one will be enough? You have to create the branch points before you can add entries under them. That is why I suggested the alternative where both the service name and the uid are part of the RDN: such multi-valued RDNs are unusual, but it might be a convenient structure in this case. > as for the different classes ... I was trying to find it but faced the > problem when the parent record, which contains > objectclass: posixAccount > objectclass: inetOrgPerson > objectclass: organizationalPerson > objectclass: person > objectclass: inetLocalMailRecipient > > was refusing the child creation until the child belongs to that set of > classes :( There must have been some other reason for the error. LDAP servers do not normally restrict what type of entry you can create at a given point in the DIT. The ACLs in force might restrict what you can do, but you have control over those. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
Andrew Findlay wrote: > That can be done - it is just a matter of choosing a naming structure > that allows it. that's simple but was not obvious to me :( > That one won't work, as there is no way to link the individual uid and > userPassword values. You need one LDAP entry per uid so either add > another layer to the tree > dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org > authorizedService: xmpp.org > > > dn: uid=john,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org > authorizedService: xmpp.org > uid: john > userPassword: qwerty > I like it, thanks much have I create dedicated object like: dn: authorizedService=YYY,uid=AAA,dc=ZZZ before configuring the service for the user like: dn: uid=XXX,authorizedService=YYY,uid=AAA,dc=ZZZ or the second one will be enough? > Incidentally, you seem to be misusung some fields in the person > object: > > > cn: john@xmpp.org > > sn: xmpp.org > > If you really don't want to put the real name there you should choose > a different objectclass that does not force you to fill in those > attributes. it is not to say I do not want to put it, but rather I want to have such possibility in case it could be demanded in the future as for the different classes ... I was trying to find it but faced the problem when the parent record, which contains objectclass: posixAccount objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: inetLocalMailRecipient was refusing the child creation until the child belongs to that set of classes :( -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
On Fri, Sep 27, 2013 at 01:23:54AM -2100, Zeus Panchenko wrote: > > overlay unique > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) > > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) > > > > this prevents each uid=X,ou=People,dc=org from having more than one > authorizedService=Y offspring ... while the original idea is to let user > A to have for the service B, several uid-s but to prevent other users to > have the same uids for the corresponding service ... > > what I mean are multiple attributes uid/userpassword "inside" the > offspring not in the `dn' of the offspring: That can be done - it is just a matter of choosing a naming structure that allows it. > dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org > authorizedService: xmpp.org > uid: john > uid: john1 > uid: johnN > userPassword: qwerty > userPassword: qwerty1 > userPassword: qwertyN > cn: john@xmpp.org > sn: xmpp.org > description: John Doe XMPP account at xmpp.org > uidNumber: 12345 > gidNumber: 23456 > homeDirectory: /nonexistent > loginShell: /sbin/nologin > objectClass: person > objectClass: posixAccount > objectClass: shadowAccount > objectClass: authorizedServiceObject That one won't work, as there is no way to link the individual uid and userPassword values. You need one LDAP entry per uid so either add another layer to the tree or use multi-valued RDNs. The tree version would look like this: dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org dn: uid=john,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: john userPassword: qwerty dn: uid=john1,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: john1 userPassword: qwerty1 dn: uid=johnN,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: johnN userPassword: qwertyN The multi-valued RDNs version like this: dn: uid=john+authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: john userPassword: qwerty dn: uid=john1+authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: john1 userPassword: qwerty1 dn: uid=johnN+authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: johnN userPassword: qwertyN > and in this case we need to prevent some other user from having > offspring with the same uid ... to prevent for user > uid=johandoe,ou=People,dc=org offspring: > > dn: authorizedService=xmpp.org,uid=johandoe,ou=People,dc=org > authorizedService: xmpp.org > uid: johan > uid: johan1 > userPassword: qwerty > userPassword: qwerty1 > cn: johan@xmpp.org > sn: xmpp.org > description: Johan Doe XMPP account at xmpp.org > uidNumber: 12345 > gidNumber: 23456 > homeDirectory: /nonexistent > loginShell: /sbin/nologin > objectClass: person > objectClass: posixAccount > objectClass: shadowAccount > objectClass: authorizedServiceObject > > possibility to add another `uid: johnN' which is already used by > dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org That should already be covered by the unique overlay setup. Incidentally, you seem to be misusung some fields in the person object: > cn: john@xmpp.org > sn: xmpp.org If you really don't want to put the real name there you should choose a different objectclass that does not force you to fill in those attributes. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
Andrew Findlay wrote: > > mmm ... will not it prevent non-uniqueness only for parent DN-s? while > > what I'm trying to ask (I'm sorry for muddled up explanation what I mean) > > about is - uniqueness for the uid *in* the entry ... so, the uniqueness > > of the attribute `uid' among all DN-s containing > > authorizedService=target-service > > You could do that if you are prepared to have one config line for each > service. Something like: > > overlay unique > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) > this prevents each uid=X,ou=People,dc=org from having more than one authorizedService=Y offspring ... while the original idea is to let user A to have for the service B, several uid-s but to prevent other users to have the same uids for the corresponding service ... what I mean are multiple attributes uid/userpassword "inside" the offspring not in the `dn' of the offspring: dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org uid: john uid: john1 uid: johnN userPassword: qwerty userPassword: qwerty1 userPassword: qwertyN cn: john@xmpp.org sn: xmpp.org description: John Doe XMPP account at xmpp.org uidNumber: 12345 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject and in this case we need to prevent some other user from having offspring with the same uid ... to prevent for user uid=johandoe,ou=People,dc=org offspring: dn: authorizedService=xmpp.org,uid=johandoe,ou=People,dc=org authorizedService: xmpp.org uid: johan uid: johan1 userPassword: qwerty userPassword: qwerty1 cn: johan@xmpp.org sn: xmpp.org description: Johan Doe XMPP account at xmpp.org uidNumber: 12345 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject possibility to add another `uid: johnN' which is already used by dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org so, what could be the solution, please? -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
Andrew Findlay wrote: > Do you reall want every user account on every service to have a > different username? to be honest, I do not want, but in practice when I need to land some mail domain with whole it's users at my MTA, I need to decide what to do with widely used mailboxes like admin, info, abuse etc > (i.e. the user cannot request to be known as > 'fred' on both the SMTP service and the IMAP service? technically I do can provide that but it is head ache of course and what I meant is difference in more "other" protocols like smtp/pop3/imap4 - xmpp - rdp - ftp - ssh - whatever else > are serving. If the same network address is used to serve all domains > then you do indeed require the uids to be unique across domains (but > you probably do want to let f...@x.y.com use that ID for all > services). yes, I do > > mmm ... will not it prevent non-uniqueness only for parent DN-s? while > > what I'm trying to ask (I'm sorry for muddled up explanation what I mean) > > about is - uniqueness for the uid *in* the entry ... so, the uniqueness > > of the attribute `uid' among all DN-s containing > > authorizedService=target-service > > You could do that if you are prepared to have one config line for each > service. Something like: > > overlay unique > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) > unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) wow, great! since the number of the services I provide is limited, it is not the problem to set all of them in slapd.conf thank you much! and finally, is it OK (strategically) that object person becomes the branch rather than leaf in such configuration? -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote: > To: Andrew Findlay Please keep replies on the list so that they become searchable and everyone can benefit. > here is the diagram depicting what I am thinking about while talking :) > > https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png > I dedicate these DN-s for services, so each such DN *can and supposed to* > use any (in theory) uid in the entry, the user can ask for Do you reall want every user account on every service to have a different username? (i.e. the user cannot request to be known as 'fred' on both the SMTP service and the IMAP service? > in particular, I do not see another way to authenticate users of > different domains(for email)/realms(for xmpp) against the same LDAP DB That depends on how you provide the services. If the network address of the services used by domain-A users is different from that used by domain-B users then the server processes will know which domain they are serving. If the same network address is used to serve all domains then you do indeed require the uids to be unique across domains (but you probably do want to let f...@x.y.com use that ID for all services). > > It may be enough for you to simply prevent the non-uniqueness. You can > > do that using the 'unique' overlay: > > mmm ... will not it prevent non-uniqueness only for parent DN-s? while > what I'm trying to ask (I'm sorry for muddled up explanation what I mean) > about is - uniqueness for the uid *in* the entry ... so, the uniqueness > of the attribute `uid' among all DN-s containing > authorizedService=target-service You could do that if you are prepared to have one config line for each service. Something like: overlay unique unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
Andrew Findlay wrote: > > now I do can ldapadd these ldif-s successfully > > ---[ ldif ] > > dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org > > authorizedService: xmpp.org > > ... > > uid: john > > > > dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org > > authorizedService: xmpp.org > > ... > > uid: john > > ---[ ldif ] > > Both those entries have one uid in the entry and a different one in > the DN. The one in the DN refers to the parent entry in each case so > it is legal but maybe not what you want. no, it is, indeed I dedicate these DN-s for services, so each such DN *can and supposed to* use any (in theory) uid in the entry, the user can ask for in particular, I do not see another way to authenticate users of different domains(for email)/realms(for xmpp) against the same LDAP DB > > It may be enough for you to simply prevent the non-uniqueness. You can > do that using the 'unique' overlay: > mmm ... will not it prevent non-uniqueness only for parent DN-s? while what I'm trying to ask (I'm sorry for muddled up explanation what I mean) about is - uniqueness for the uid *in* the entry ... so, the uniqueness of the attribute `uid' among all DN-s containing authorizedService=target-service something like: dn: authorizedService=target-service,uid=target-service_ALLOWED-USER,ou=People,dc=org authorizedService=target-service uid=UNIQUE-AMONG-ALL_target-service_USERS-VALUE -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
Just crazy idea... several attributes for user passwords (userPassword1, userPassword2, ...) in user account and proxy-mapping overlay (slapo-translucent? slapo-rwm?) with mapping attribute userPassword into userPassword1 or userPassword2 with dependencies from service IP. WBR On 09.08.2013 17:17, Zeus Panchenko wrote: Andrew Findlay wrote: lets say I have two users with name John and I need to give each one acces to some service, but both of them wish the service uid=john (for example, it is common issue for MTA serving different mail domains with different user space for each one) The first question to ask is how the application is going to tell the difference between the two users when someone tries to login as 'john'. If the users are j...@a.b.com and j...@x.y.org then why not use the full mail address as the uid? yes, it is what I was thought about too and I like the idea, though I wanted to check how correct/right is this way so what is needed to provide uniqueness of attribute `uid' for each dn: authorizedService=target-service,uid=target-user,ou=People,dc=org perhaps I need to define more accurately what I mean: the uniqueness while *creating* the dn ... since for dn-s dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org ... dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org I want to prevent the possibility to create the same uid=john-whatever-format-it-is now I do can ldapadd these ldif-s successfully ---[ ldif ] dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org cn: john@xmpp.org sn: xmpp.org description: John Doe XMPP account at xmpp.org uidNumber: 12345 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org authorizedService: xmpp.org cn: john.sm...@xmpp.org sn: xmpp.org description: John Smith XMPP account at xmpp.org uidNumber: 12356 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john ---[ ldif ] and ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))" outputs both of them, so I need the way I can know that uid: is not unique while creating the dn: so, what I need to prevent the possibility to create the second dn:, since it will contain the same uid value as the first one? If each 'john' account exists in a distinct identifiable namespace then you could either put the name of the namespace in the account entry or you could use it as part of the LDAP hierachy. The application can then formulate a search that finds the correct entry in one operation. I was thinking to use sn: attribute since it is login dedicated dn: and it is no need in it but all the same, my question remains oppened: how to not to create not unique uid for dn: authorizedService=target-service,uid= ? have I put in into UI for records management or it can be done on the server side (for example like indexes in SQL)
Re: separate login/password for several services?
On Fri, Aug 09, 2013 at 04:17:02PM +0300, Zeus Panchenko wrote: > the uniqueness while *creating* the dn ... since for dn-s > > dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org > dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org > ... > dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org > > I want to prevent the possibility to create the same > uid=john-whatever-format-it-is If you always put the uid in the DN using the structure shown above then it will not be possible to create duplicates. That assumes that you use the same uid in all the subentries of the main user entry... > now I do can ldapadd these ldif-s successfully > ---[ ldif ] > dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org > authorizedService: xmpp.org > cn: john@xmpp.org > sn: xmpp.org > description: John Doe XMPP account at xmpp.org > uidNumber: 12345 > gidNumber: 23456 > homeDirectory: /nonexistent > loginShell: /sbin/nologin > objectClass: person > objectClass: posixAccount > objectClass: shadowAccount > objectClass: authorizedServiceObject > uid: john > > dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org > authorizedService: xmpp.org > cn: john.sm...@xmpp.org > sn: xmpp.org > description: John Smith XMPP account at xmpp.org > uidNumber: 12356 > gidNumber: 23456 > homeDirectory: /nonexistent > loginShell: /sbin/nologin > objectClass: person > objectClass: posixAccount > objectClass: shadowAccount > objectClass: authorizedServiceObject > uid: john > ---[ ldif ] Both those entries have one uid in the entry and a different one in the DN. The one in the DN refers to the parent entry in each case so it is legal but maybe not what you want. It may be enough for you to simply prevent the non-uniqueness. You can do that using the 'unique' overlay: overlay unique unique_uri ldap:///ou=People,dc=org?uid?sub Unfortunately this creates another problem: *every entry* must have a different uid - probably not what you want... It would be possible to write an access-control list using sets to require that the two uids match. This is not quite as simple as there are various cases to consider. Again it may be too restrictive, as then every sub-entry would have to have the same uid as the main entry (though the passwords could still be different). > > If each 'john' account exists in a distinct identifiable namespace then > > you could either put the name of the namespace in the account entry or > > you could use it as part of the LDAP hierachy. The application can > > then formulate a search that finds the correct entry in one operation. > > I was thinking to use sn: attribute since it is login dedicated dn: and > it is no need in it The data you are putting there is clearly *not* a surname. Don't misuse attributes like this - it will cause trouble later. A more appropriate attribute might be associatedDomain - you will need to add the objectclass 'domainRelatedObject' as well. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
Andrew Findlay wrote: > > lets say I have two users with name John and I need to give each one > > acces to some service, but both of them wish the service uid=john (for > > example, it is common issue for MTA serving different mail domains with > > different user space for each one) > > The first question to ask is how the application is going to tell the > difference between the two users when someone tries to login as 'john'. > > If the users are j...@a.b.com and j...@x.y.org then why not use the > full mail address as the uid? > yes, it is what I was thought about too and I like the idea, though I wanted to check how correct/right is this way > > so what is needed to provide uniqueness of attribute `uid' for each > > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org perhaps I need to define more accurately what I mean: the uniqueness while *creating* the dn ... since for dn-s dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org ... dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org I want to prevent the possibility to create the same uid=john-whatever-format-it-is now I do can ldapadd these ldif-s successfully ---[ ldif ] dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org authorizedService: xmpp.org cn: john@xmpp.org sn: xmpp.org description: John Doe XMPP account at xmpp.org uidNumber: 12345 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org authorizedService: xmpp.org cn: john.sm...@xmpp.org sn: xmpp.org description: John Smith XMPP account at xmpp.org uidNumber: 12356 gidNumber: 23456 homeDirectory: /nonexistent loginShell: /sbin/nologin objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: authorizedServiceObject uid: john ---[ ldif ] and ldapsearch ... "(&(uid=john)(authorizedService=xmpp.org))" outputs both of them, so I need the way I can know that uid: is not unique while creating the dn: so, what I need to prevent the possibility to create the second dn:, since it will contain the same uid value as the first one? > If each 'john' account exists in a distinct identifiable namespace then > you could either put the name of the namespace in the account entry or > you could use it as part of the LDAP hierachy. The application can > then formulate a search that finds the correct entry in one operation. I was thinking to use sn: attribute since it is login dedicated dn: and it is no need in it but all the same, my question remains oppened: how to not to create not unique uid for dn: authorizedService=target-service,uid= ? have I put in into UI for records management or it can be done on the server side (for example like indexes in SQL) -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
On Fri, Aug 09, 2013 at 01:20:55PM +0300, Zeus Panchenko wrote: > is there way to avoid target service uid clashing in this case? > > lets say I have two users with name John and I need to give each one > acces to some service, but both of them wish the service uid=john (for > example, it is common issue for MTA serving different mail domains with > different user space for each one) The first question to ask is how the application is going to tell the difference between the two users when someone tries to login as 'john'. If the users are j...@a.b.com and j...@x.y.org then why not use the full mail address as the uid? > so what is needed to provide uniqueness of attribute `uid' for each > > dn: authorizedService=target-service,uid=target-user,ou=People,dc=org If each 'john' account exists in a distinct identifiable namespace then you could either put the name of the namespace in the account entry or you could use it as part of the LDAP hierachy. The application can then formulate a search that finds the correct entry in one operation. Namespace in account: Search base: ou=People,dc=org Search filter: "(&(uid=target-user)(namespace=x.y.com)(authorizedService=target-service))" Namespace in hierachy: Search base: ou=People,namespace=x.y.com,dc=org Search filter: "(&(uid=target-user)(authorizedService=target-service))" [ 'namespace' is used as an example here. There is no such attribute type in the standard schema ] Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
Andrew Findlay wrote: > ... > You would end up creating two new attributes for each service type, > and OpenLDAP would still not check the passwords for you in a useful way. > > Better method: Create a sub-entry below the user entry for each service. > The service-specific entry can use the standard 'uid' and 'userPassword' > attributes, and you just need to make sure that each service includes the > authorizedService attribute when searching for the entry to authenticate. > ... is there way to avoid target service uid clashing in this case? lets say I have two users with name John and I need to give each one acces to some service, but both of them wish the service uid=john (for example, it is common issue for MTA serving different mail domains with different user space for each one) so what is needed to provide uniqueness of attribute `uid' for each dn: authorizedService=target-service,uid=target-user,ou=People,dc=org is it possible to do that inside OpenLDAP or have it to be performed via something like analyzing the output of ldapsearch ... "(&(uid=target-user)(authorizedService=target-service))" dn -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
Andrew Findlay wrote: > Better method: Create a sub-entry below the user entry for each service. > ... > Something like this: > > dn: uid=target-user,ou=People,dc=ibs > ... > Your SMTP server would issue searches of the form: > (&(uid=USERNAME)(authorizedService=smtp)) thank you very much it does just what I was thinking about in my initial post! -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Re: separate login/password for several services?
Andrew Findlay wrote: > On Thu, Aug 01, 2013 at 10:41:25AM +0300, Zeus Panchenko wrote: > >> I need to set separate credentials for each service I provide >> (optionally) to my users > > That seems perverse - most of us work hard to *reduce* the number of > different usernames and passwords that each person has to use! The one-account-for-everything is not suitable for all security policies. Especially when Android smartphones store clear-text (WLAN) passwords into Google cloud... Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: separate login/password for several services?
On Thu, Aug 01, 2013 at 10:41:25AM +0300, Zeus Panchenko wrote: > I need to set separate credentials for each service I provide > (optionally) to my users That seems perverse - most of us work hard to *reduce* the number of different usernames and passwords that each person has to use! > I think of something like this: > > dn: uid=target-user,ou=People,dc=ibs > userPassword: ** > ... > authorizedService: xmpp > authorizedService: smtp > authorizedService: pop > authorizedService: imap > authorizedService: mail > ... > loginSMTP: mail-send-login > passwSMTP: xxx > loginPOP3: mail-get-login > passwPOP3: yyy > ... > loginXMPP: login-xmpp > passwXMPP: zzz You would end up creating two new attributes for each service type, and OpenLDAP would still not check the passwords for you in a useful way. Better method: Create a sub-entry below the user entry for each service. The service-specific entry can use the standard 'uid' and 'userPassword' attributes, and you just need to make sure that each service includes the authorizedService attribute when searching for the entry to authenticate. Something like this: dn: uid=target-user,ou=People,dc=ibs uid: target-user cn: sn: dn: authorizedService=smtp,uid=target-user,ou=People,dc=ibs authorizedService: smtp uid: mail-send-login userPassword: ** dn: authorizedService=pop3,uid=target-user,ou=People,dc=ibs authorizedService: pop3 uid: mail-get-login userPassword: ** Your SMTP server would issue searches of the form: (&(uid=USERNAME)(authorizedService=smtp)) Your POP3 server would issue searches of the form: (&(uid=USERNAME)(authorizedService=pop3)) Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: separate login/password for several services?
On 08/01/13 10:41 +0300, Zeus Panchenko wrote: hi all, please, may somebody advice I need to set separate credentials for each service I provide (optionally) to my users I think of something like this: dn: uid=target-user,ou=People,dc=ibs userPassword: ** ... authorizedService: xmpp authorizedService: smtp authorizedService: pop authorizedService: imap authorizedService: mail ... loginSMTP: mail-send-login passwSMTP: xxx loginPOP3: mail-get-login passwPOP3: yyy ... loginXMPP: login-xmpp passwXMPP: zzz This has been discussed on the list at least a couple of times. Search the archives for keywords 'authorization' 'pam' 'radius'. -- Dan White
separate login/password for several services?
hi all, please, may somebody advice I need to set separate credentials for each service I provide (optionally) to my users I think of something like this: dn: uid=target-user,ou=People,dc=ibs userPassword: ** ... authorizedService: xmpp authorizedService: smtp authorizedService: pop authorizedService: imap authorizedService: mail ... loginSMTP: mail-send-login passwSMTP: xxx loginPOP3: mail-get-login passwPOP3: yyy ... loginXMPP: login-xmpp passwXMPP: zzz can I achieve it? from which side to approach the issue? -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
