We've got openLDAP running, but a somewhat unique? situation that I'm not sure how to describe. Trying to find a better solution than what we've got.
tl;dr: How to allow:
- a FooCo system to allow uid=oracle,ou=fooco AND uid=sysadmin1,ou=us login
- a BarCo system to allow uid=oracle,ou=barco AND uid=sysadmin1,ou=us login
without duplicating uid=sysadmin1 in each fooco and barco subou:
dc=ourorg ou=fooco uid=oracle ou=barco uid=oracle ... ou=us uid=sysadmin1 uid=sysadmin2 ...
More details: We provide services (systems) for multiple separate suborganizations (FooCo and BarCo for this example), but have our own "global accounts." We're trying to run a single LDAP (see below). And, for example, each suborganization is insistent that their oracle db service account (e.g. login that runs db processes) be called "oracle" (I lost that battle). So obviously we can't use same RDN, but we can use different DNs by putting the account uid's in different subtrees (as above). However, when authenticating against base dc (say RHEL7 and AIX), how would we specifically "help" a server owned by FooCo use the FooCo subtree, and BarCo to use Barco subtree (again, using RHEL7 and AIX)? The simple answer, i.e., is we configured a FooCo server to use ou=FooCo,dc=ourdc as BASEDN. However, we have other users (a sysadmin team) who ALSO need to be able to log in (ideally, using LDAP). It doesn't make sense at all to put sysadmins in EACH subtree, either - they should have one entry somewhere.
We tried aliases/extensibleObject (a little bit), ie uid=aliassa1,ou=fooco -> uid=sysadmin1,ou=us, and while it works fine for an ldapsearch, it will not work for a authentication/login/su/etc. (but ldap.conf has "DEREF always" set).
So, any ideas for solutions given the above? A creative way to get around this issue? Thanks!!
