Directory Federation

Session: Tuesday Session 5 Space C

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Michael Schwartz, Founder Gluu

Notes-taker(s): Michael Schwartz

Notes:

WHY : Enable organizations to share identity information in bulk, or to allow users to query information from more than just their home organization.

LDAP was for internal organizational use

Its so annoying having to do a useradd for each host However  Inter-domain : LDAP servers cant talk to each other

Different schemas

Different namespace (dc=blah, o=blah)

ACIs based on BIND DN

Cant BIND a user

No way to do discovery

Host / Port / SSL

XRI LDAP Discovery
 * @gluu/(+ldap)
 * @gluu/(+ldaps)

Information in XRD:
 * port
 * host
 * baseDN
 * Schema
 * Namespace (what ous are present)

i-number XRIs uniquely  identify leaf entries
 * inum=${i-number}

Examples
 * : inum=!gluu.d6f2.6fcd.8399.326d,ou=people,dc=gluu
 * inum=!custa.1e5d.52c4.ea30.ef39,ou=groups,dc=custa
 * inum=!custb.713f.375a.1f01.cb33,ou=devices,dc=custb

i-name XRIs optional attribute value

iname: =nynymike

Sample XRD  (+ldaps)  ldap.company.net         389 givenName  ' '  New Functionality Needed For Servers:

Servers can reference entries in other directory services for ACIs

aci: allowREAD: @gluu*mike

aci:  membeOf:@custa.PayrollAdministrators

Sample Applications : Communities or Virtual Organizations that could enable a way to publish information about people from diffenent organizations under one virtual LDAP tree.