LDAP schema design

ldapschema

I am pretty new to LDAP & trying to design a schema for a particular need.

I have a Support Organization.

There are three levels
P1 – lowest permissions
P2 – middle
P3 – highest permissions.

I have split the support team into subteams.

TeamA manages customers A1, A2, A3 etc
TeamB manages customers B1, B2, B3 etc.

Customer A1 has his internal users.
Internal Users of each customer have 2 levels of permissions either P1 or P2. Their P1 or P2 permissions are only for stuff relevant to themselves. i.e a P2 from Customer A1 will not have any permissions for Customer A2.

TeamA people (who manage customers A1, A2 etc) have either P1 or P2 permissions.
A person from TeamA who has P2 permissions will have P2 permissions for each customer who is managed by TeamA. i.e. A TeamA P2 will have P2 for A1, A2, A3 (all of them).

Then there is a super support team.
Here people are not specific to groups of customers.
A P2 from the SuperSupport team will have P2 permissions for Customer A1, Customer B1 – for everything.
A P3 will be similiar.

I have designing a schema

# Root node
dn: dc=myorg,dc=com
objectclass: organization
objectclass: dcObject
o: myorg.com
dc: myorg

# Groups
dn: ou=Groups, dc=myorg,dc=com
objectclass: organizationalUnit
ou: Groups

dn: cn=P1, ou=Groups, dc=myorg,dc=com
objectclass: organizationalRole
cn: P1
description: Lowest level

dn: cn=P2, ou=Groups,dc=myorg,dc=com
objectclass: organizationalRole
cn: P2
description: Higher level

dn: cn=P3, ou=Groups,dc=myorg,dc=com
objectclass: organizationalRole
cn: P3
description: Highest level of Support

# Teams
dn: ou=Team, dc=myorg,dc=com
objectclass: organizationalUnit
ou: partner
description: Teams

# Team A
dn: ou=teamB, ou=Team, dc=myorg,dc=com
objectclass: organizationalUnit
ou: teamA
description: Team A

# Team B
dn: ou=teamb, ou=Team, dc=myorg,dc=com
objectclass: organizationalUnit
ou: teamB
description: Team B

# Customers

# Customer A1 of Team A
dn: ou=custa1, ou=teama, ou=Team dc=myorg,dc=com
objectclass: organizationalUnit
ou: custa1
description: Some Org

# Customer B2 of Team B
dn: ou=custb2, ou=teamb, ou=Team, dc=myorg,dc=com
objectclass: organizationalUnit
ou: custb2
description: Some other Org

Is it correct up to this?

I am getting a little stuck beyond this – how do I put in people from different teams, different customers, super support etc, so that it would be easy to easily figure out after binding to the ldap server with a uname/passwd – what permissions that particular user has.

Can someone help or point me to a sample schema for similar requirements?

Best Answer

The pedant in me is forced to point out that what you're creating here is not a schema, but a layout. A schema defines objects-types and attributes on the objects, a layout defines where the objects are and what values are assigned to the attributes.

That out of the way...

When you add people you'll be associating them with the OrganizationalRoles you're defining, and people can belong to many of them. In fact, where their object actually resides doesn't confer any rights; it's the act of associating an OR with them. When they bind, they'll gain the rights of the ORs they're a member of, regardless of where their object is.

To answer your question of figuring out what rights they get, they should be listed in two places:

On their user-object
On the organizationalRole object

You'd form the LDAP query to pull either the orMember attribute from the user object, or query all organizationalRole objects with a member of the user. The exact name of the attribute on the user depends on your actual LDAP schema in use.

Related Solutions

Ldap – What would prevent me from modifying the LDAP schema

You need to specify your config database. Without it, its trying to add it to your normal database.

ldapadd -H 'ldaps://localhost/cn=config' -x -D "cn=admin,cn=config" -W -f /tmp/cn=kerberos.ldif

Ldap – How to migrate LDAP (database,schema,configuration) to other machine

The solution :

So here's what I did to make this works.

Stop Slapd on main server
Slapcat databases from the main server (There are 2 database that needs to be exported. I use the "-n" tag
```
slapcat -n 0 -l (config file location)
```

This one will export all schema and cn=config and

    slapcat -n 1 -l <database backup ldif path>

This on will export all user data that you keep in LDAP.

SCP the 2 ldif file to the new server (make sure you installed LDAP on the server and make sure the configuration are almost identical to make this easier)
stop slapd on the new server.
delete the content of folder
```
/etc/ldap/slapd.d
```
use slapadd to import the configuration to the new server
```
slapadd -n 0 -l (config ldif location)
```
-n 0 is for adding configuration back to LDAP
```
slapadd -n 1 -l (database ldif location)
```
-n 1 is for adding database back to LDAP

*EDIT: Somehow those command won't work on my 2nd 3rd .... and so on try. So The proper command That I've verfied that it works are

  slapadd -n 0 -F /etc/ldap/slapd.d -l <config backup ldif path>

and

  slapadd -n 1 -l <data backup ldif path>

change the permission in the /etc/ldap/slapd.d folder (chown and chmod). I chown it to openldap and chmod it to 755

Also Change permission in the /var/lib/ldap folder (chown and chmod) to openldap

if you have certificate for TLS connection. Copy the certificates and keys from old server to new server to the same exact location. change the permission on the places.

start slapd.

and it should be good to go.

Hopes this helps other people

Best Answer

Related Solutions

Ldap – What would prevent me from modifying the LDAP schema

Ldap – How to migrate LDAP (database,schema,configuration) to other machine

Related Topic