Directory Federation: XRI Naming and Discovery for LDAP
Tuesday – Session 5 - C
Convener: Michael Schwartz begin_of_the_skype_highlighting end_of_the_skype_highlighting, Founder Gluu
Notes-taker(s): Michael Schwartz
A. Tags for the session - technology discussed/ideas considered:
B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
WHY
Enable organizations to share identity information in bulk, or to allow users to query information from more than just their home organization.
LDAP was for internal organizational use
Its so annoying having to do a useradd for each host However Inter-domain : LDAP servers cant talk to each other Different schemas Different namespace (dc=blah, o=blah) ACIs based on BIND DN Cant BIND a user No way to do discovery Host / Port / SSL
XRI LDAP Discovery
@gluu/(+ldap) @gluu/(+ldaps) Information in XRD:
port host baseDN Schema Namespace (what ous are present)
i-number XRIs uniquely identify leaf entries
inum=${i-number} Examples: inum=!gluu.d6f2.6fcd.8399.326d,ou=people,dc=gluu inum=!custa.1e5d.52c4.ea30.ef39,ou=groups,dc=custa inum=!custb.713f.375a.1f01.cb33,ou=devices,dc=custb
i-name XRIs optional attribute value iname: =nynymike
Sample XRD
<Service priority="10">
<Path select="true">(+ldaps)</Path>
<ldap:host>ldap.company.net</ldap:host>
<ldap:port>389</ldap:port>
<ldap:schema type=string desc=>givenName<ldap:schema>
.
.
.
</Service>
New Functionality Needed For Servers: Servers can reference entries in other directory services for ACIs
aci: allowREAD: @gluu*mike aci: membeOf:@custa.PayrollAdministrators
Sample Applications
Communities or Virtual Organizations that could enable a way to publish information about people from diffenent organizations under one virtual LDAP tree.
