Directory Federation
Session: Tuesday Session 5 Space C
Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes
Convener: Michael Schwartz, Founder Gluu
Notes-taker(s): Michael Schwartz
Notes:
WHY : Enable organizations to share identity information in bulk, or to allow users to query information from more than just their home organization.
LDAP was for internal organizational use
Its so annoying having to do a useradd for each host However Inter-domain : LDAP servers cant talk to each other
Different schemas
Different namespace (dc=blah, o=blah)
ACIs based on BIND DN
Cant BIND a user
No way to do discovery
Host / Port / SSL
XRI LDAP Discovery
- @gluu/(+ldap)
- @gluu/(+ldaps)
Information in XRD:
- port
- host
- baseDN
- Schema
- Namespace (what ous are present)
i-number XRIs uniquely identify leaf entries
- inum=${i-number}
Examples
- : inum=!gluu.d6f2.6fcd.8399.326d,ou=people,dc=gluu
- inum=!custa.1e5d.52c4.ea30.ef39,ou=groups,dc=custa
- inum=!custb.713f.375a.1f01.cb33,ou=devices,dc=custb
i-name XRIs optional attribute value
iname: =nynymike
Sample XRD
<Service priority="10"> <Path select="true">(+ldaps) </Path> <ldap:host>ldap.company.net </ldap:host> <ldap:port>389</ldap:port> <ldap:schema type=string desc=>givenName<ldap:schema> </Service>
' ' New Functionality Needed For Servers:
Servers can reference entries in other directory services for ACIs
aci: allowREAD: @gluu*mike
aci: membeOf:@custa.PayrollAdministrators
Sample Applications : Communities or Virtual Organizations that could enable a way to publish information about people from diffenent organizations under one virtual LDAP tree.