Directory Federation: XRI Naming and Discovery for LDAP

Tuesday – Session 5 - C

Convener: Michael Schwartz begin_of_the_skype_highlighting     end_of_the_skype_highlighting, Founder Gluu

Notes-taker(s): Michael Schwartz

A.	Tags for the session - technology discussed/ideas considered:

B.	Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

WHY

Enable organizations to share identity information in bulk, or to allow users to query information from more than just their home organization.

LDAP was for internal organizational use - Its so annoying having to do a useradd for each host However Inter-domain : LDAP servers cant talk to each other Different schemas Different namespace (dc=blah, o=blah) ACIs based on BIND DN Cant BIND a user No way to do discovery Host / Port / SSL

XRI LDAP Discovery --- @gluu/(+ldap) @gluu/(+ldaps) Information in XRD: port host baseDN Schema Namespace (what ous are present)

i-number XRIs uniquely identify leaf entries - inum=${i-number} Examples: inum=!gluu.d6f2.6fcd.8399.326d,ou=people,dc=gluu inum=!custa.1e5d.52c4.ea30.ef39,ou=groups,dc=custa inum=!custb.713f.375a.1f01.cb33,ou=devices,dc=custb

i-name XRIs optional attribute value iname: =nynymike

Sample XRD --  (+ldaps) ldap.company.net 389 givenName .     .      . 

New Functionality Needed For Servers: Servers can reference entries in other directory services for ACIs

aci: allowREAD: @gluu*mike aci: membeOf:@custa.PayrollAdministrators

Sample Applications --- Communities or Virtual Organizations that could enable a way to publish information about people from diffenent organizations under one virtual LDAP tree.