Find solution
How to design an LDAP schema?

LDAP schema design

  • I am pretty new to LDAP & trying to design a schema for a particular need. I have a Support Organization. There are three levels P1 - lowest permissions P2 - middle P3 - highest permissions. I have split the support team into subteams. TeamA manages customers A1, A2, A3 etc TeamB manages customers B1, B2, B3 etc. Customer A1 has his internal users. Internal Users of each customer have 2 levels of permissions either P1 or P2. Their P1 or P2 permissions are only for stuff relevant to themselves. i.e a P2 from Customer A1 will not have any permissions for Customer A2. TeamA people (who manage customers A1, A2 etc) have either P1 or P2 permissions. A person from TeamA who has P2 permissions will have P2 permissions for each customer who is managed by TeamA. i.e. A TeamA P2 will have P2 for A1, A2, A3 (all of them). Then there is a super support team. Here people are not specific to groups of customers. A P2 from the SuperSupport team will have P2 permissions for Customer A1, Customer B1 - for everything. A P3 will be similiar. I have designing a schema # Root node dn: dc=myorg,dc=com objectclass: organization objectclass: dcObject o: myorg.com dc: myorg # Groups dn: ou=Groups, dc=myorg,dc=com objectclass: organizationalUnit ou: Groups dn: cn=P1, ou=Groups, dc=myorg,dc=com objectclass: organizationalRole cn: P1 description: Lowest level dn: cn=P2, ou=Groups,dc=myorg,dc=com objectclass: organizationalRole cn: P2 description: Higher level dn: cn=P3, ou=Groups,dc=myorg,dc=com objectclass: organizationalRole cn: P3 description: Highest level of Support # Teams dn: ou=Team, dc=myorg,dc=com objectclass: organizationalUnit ou: partner description: Teams # Team A dn: ou=teamB, ou=Team, dc=myorg,dc=com objectclass: organizationalUnit ou: teamA description: Team A # Team B dn: ou=teamb, ou=Team, dc=myorg,dc=com objectclass: organizationalUnit ou: teamB description: Team B # Customers # Customer A1 of Team A dn: ou=custa1, ou=teama, ou=Team dc=myorg,dc=com objectclass: organizationalUnit ou: custa1 description: Some Org # Customer B2 of Team B dn: ou=custb2, ou=teamb, ou=Team, dc=myorg,dc=com objectclass: organizationalUnit ou: custb2 description: Some other Org Is it correct up to this? I am getting a little stuck beyond this - how do I put in people from different teams, different customers, super support etc, so that it would be easy to easily figure out after binding to the ldap server with a uname/passwd - what permissions that particular user has. Can someone help or point me to a sample schema for similar requirements?

  • Answer:

    The pedant in me is forced to point out that what you're creating here is not a schema, but a layout. A schema defines objects-types and attributes on the objects, a layout defines where the objects are and what values are assigned to the attributes. That out of the way... When you add people you'll be associating them with the OrganizationalRoles you're defining, and people can belong to many of them. In fact, where their object actually resides doesn't confer any rights; it's the act of associating an OR with them. When they bind, they'll gain the rights of the ORs they're a member of, regardless of where their object is. To answer your question of figuring out what rights they get, they should be listed in two places: On their user-object On the organizationalRole object You'd form the LDAP query to pull either the orMember attribute from the user object, or query all organizationalRole objects with a member of the user. The exact name of the attribute on the user depends on your actual LDAP schema in use.

Genboy at Server Fault Visit the source

Was this solution helpful to you?

Other answers

This is actually a question on sysadmin1138's reply but I am unable to add such a long post as a comment - hence posted it as an answer (new to serverfault) The pedant in me is forced to point out that what you're creating here is not a schema, but a layout. Thank you for the clarification. To answer your question of figuring out what rights they get, they should be listed in two places: * On their user-object * On the organizationalRole object It's not clear what the they refers to above(marked in bold). How do I associate rights with a user. Also, how do I associate a user with an OrganizationalRole For eg. I have 2 users 1) User john from Customer A dn: uid=jdoe, ou=custb2, ou=teamb, ou=Team, dc=myorg,dc=com objectclass: inetOrgPerson cn: John Doe sn: Doe uid: jdoe userPassword: something displayName: Mr. John Doe Now how I say that this person has P1 permissions for custb2 What attribute do I need to add here? Also I am wondering I am nesting it correct here i.e. custb2 under teamb? Instead should all customers be under a common node called Customers? If so how I do link a team & a customer? 2) User Jane from Team B dn: ou=teamB, ou=Team, dc=myorg,dc=com objectclass: inetOrgPerson cn: Jane Bloe sn: bloe uid: jbloe userPassword: something displayName: Mr. Jane Bloe How do I say that this person has P1 permissions for all customers who belong to teamb

Genboy

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.