Suborganizations and Unique id
-
30-06-2021 - |
Pregunta
I can succesfully authenticate my application with ApacheDS
But now i use only one domain.
I want to add subdomains or sub organizations under root domain.
For example a root organization as
dc=example,dc=com
and sub organizations dc=x
another sub organization dc=y
Now i can authenticate users using uid attribute
like:
user-search-filter="(uid={0})"
i use login name like user1, without an @ extension
But i want to have suborganizations and i want to use user1@x.example.com
Is it possible and how?
My application is a spring application but i think subject is independent from my application side.
Solución
The attribute defined in the LDAP standards track for email addresses is mail
, rfc822mailbox
, or 0.9.2342.19200300.100.1.3
as defined in RFC4524. Perhaps your filter should be an attribute assertion using one of those types, for example, user-search-filter="mail={0}"
.
I am not sure what is meant by "manually". LDAP does not have a concept of organizations, only entries that might belong to an organization
. These entries might have a mail
attribute if the entry belongs to an objectClass
that allows or requires the mail
attribute. In other words, if your filter is mail={0}
(which might become mail=user1@x.example.com
), then a search using that filter (given the appropriate base object and scope) will return all entries that have a mail
attribute with the value user1@x.example.com
irrespective of where that user is located and irrespective of the value of the uid
attribute.
If the users in an organization can identified some other way, perhaps by organization or other attribute, then the filter could be:
(&(uid={0})(o=x))
or
(&(uid={0})(o=y))
One way or another, the users' entry must be identifiable by the contents of the entry. The primary key in an LDAP database is the distinguished name (uid=abc,dc=x,dc=example,dc=com
) but attributes in the entry can be used to tighten the filter. Some alternatives are:
- use unique identifiers (all
uid
ormail
values are unique in the database, therefore, only one is ever returned to a search request) - use an attribute to identify users in an organization (like
o
in the example filters above) - use a dynamic group to generate a list of users in an organization.
- consider using an extensible match filter to make values in the distinguished names be part of the filtering process
see also
- using ldapsearch - the article is about the
ldapsearch
command line tool, but the concepts are useful when constructing search requests - mastering search filters