Directory Federation

From IIW
Jump to: navigation, search

Session: Tuesday Session 5 Space C

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Michael Schwartz, Founder Gluu

Notes-taker(s): Michael Schwartz


Enable organizations to share identity information in bulk, or to allow users to query information from more than just their home organization.

LDAP was for internal organizational use

Its so annoying having to do a useradd for each host
 Inter-domain : LDAP servers cant talk to each other

Different schemas

Different namespace (dc=blah, o=blah)

ACIs based on BIND DN

Cant BIND a user

No way to do discovery

Host / Port / SSL

XRI LDAP Discovery


Information in XRD:

  • port
  • host
  • baseDN
  • Schema
  • Namespace (what ous are present)

i-number XRIs uniquely  identify leaf entries



  •  :

  • inum=!custa.1e5d.52c4.ea30.ef39,ou=groups,dc=custa

  • inum=!custb.713f.375a.1f01.cb33,ou=devices,dc=custb

i-name XRIs optional attribute value

iname: =nynymike

Sample XRD

<Service priority="10">
 <Path select="true">(+ldaps) </Path>

<ldap:schema type=string desc=>givenName<ldap:schema>

' '

New Functionality Needed For Servers:

Servers can reference entries in other directory services for ACIs

aci: allowREAD: @gluu*mike

aci:  membeOf:@custa.PayrollAdministrators

Sample Applications
Communities or Virtual Organizations that could enable a way to publish information about people from diffenent organizations under one virtual LDAP tree.