Directory Federation

From IIW

Session: Tuesday Session 5 Space C

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Michael Schwartz, Founder Gluu

Notes-taker(s): Michael Schwartz

Notes:

WHY
: 
Enable organizations to share identity information in bulk, or to allow users to query information from more than just their home organization.




LDAP was for internal organizational use



Its so annoying having to do a useradd for each host
 However
 Inter-domain : LDAP servers cant talk to each other


Different schemas


Different namespace (dc=blah, o=blah)


ACIs based on BIND DN


Cant BIND a user


No way to do discovery


Host / Port / SSL




XRI LDAP Discovery


  • 
@gluu/(+ldap)
  • 
@gluu/(+ldaps)


Information in XRD:
 

  • port
 
  • host
 
  • baseDN
 
  • Schema
 
  • Namespace (what ous are present)





i-number XRIs uniquely  identify leaf entries


  • 
inum=${i-number}


Examples

  •  :
inum=!gluu.d6f2.6fcd.8399.326d,ou=people,dc=gluu

  • inum=!custa.1e5d.52c4.ea30.ef39,ou=groups,dc=custa

  • inum=!custb.713f.375a.1f01.cb33,ou=devices,dc=custb



i-name XRIs optional attribute value


iname: =nynymike




Sample XRD


<Service priority="10">
 <Path select="true">(+ldaps) </Path>
       
 <ldap:host>ldap.company.net
</ldap:host>
       <ldap:port>389</ldap:port>

<ldap:schema type=string desc=>givenName<ldap:schema>
    
</Service>

' '

New Functionality Needed For Servers:


Servers can reference entries in other directory services for ACIs



aci: allowREAD: @gluu*mike


aci:  membeOf:@custa.PayrollAdministrators




Sample Applications
: 
Communities or Virtual Organizations that could enable a way to publish information about people from diffenent organizations under one virtual LDAP tree.