[Infrastructures] authentication of groups of users

Matt S Trout infrastructures@trout.me.uk
Tue, 3 May 2005 08:46:53 +0100 

On Tue, May 03, 2005 at 08:53:26AM +0200, Nils Ketelsen wrote:
> Joel Huddleston wrote:
> 
> >>But what with using LDAP as directory server and authentication
> >>server? What can you do to accomplish the same effect?
> > 
> > LDAP (and even Hesiod and NIS+) is a hierarchical system, that is, tree
> > structured. It is possible to store your users into structural groups and
> > select which hosts use which groups in order to limit access. It is my
> 
> But if I had a user who needs access to two applications I would have to
> keep his data in two places (because he is in two ous). Tree structures
> suck, but as LDAP is what most systems are able to do, I am currently
> trying a different design, where under the user-object there is a set of
> account-objects containing username/userpassword and whatever else the
> application in question requires as information for this user.
> 
> The bind-dn used by the application only has the right to see accounts
> that it needs. Anonymous users can not see any account information at all.

What about simply having a multiple-value attribute called 'accessGroup' or
similar, and changing the search expression for whatever you use to talk
to LDAP to be (&(uid=%u)(accessGroup=thisServer))? Should be easy enough to
do differently on different machines by generating appropriate config files.

> Well thats the Idea, the problem is currently to implement it ... It's
> always the simple things, that make it hard. Has anyone here ever
> installed a Tivoli Directory Server on AIX? I am completely lost at the
> moment, as the files the installation guide refers to are not even
> existing in the tarball...

Directory servers are always a pain to install IME. OpenLDAP is the least
of a pain, but also less powerful - however it's certainly good enough to
prototype stuff with in the meantime.

-- 
    Matt S Trout            Brag sheet:    http://trout.me.uk/services.html
LAMP, Infrastructure        Contact:       services@trout.me.uk
   and Automation
     specialist                                       Do it once. Do it right.