92 lines
2.7 KiB
YAML
92 lines
2.7 KiB
YAML
|
|
version: "0.1"
|
||
|
|
description: >
|
||
|
|
Canonical LDAP Schema for KeyCape / NetKingdom IAM Profile.
|
||
|
|
Expresses the canonical identity model in LDAP terms.
|
||
|
|
Portable across LLDAP, OpenLDAP, 389DS, and Active Directory.
|
||
|
|
|
||
|
|
base_dn: "dc=netkingdom,dc=local"
|
||
|
|
|
||
|
|
organization_units:
|
||
|
|
users:
|
||
|
|
dn: "ou=users,dc=netkingdom,dc=local"
|
||
|
|
description: "User accounts"
|
||
|
|
object_classes:
|
||
|
|
required:
|
||
|
|
- inetOrgPerson
|
||
|
|
- organizationalPerson
|
||
|
|
- person
|
||
|
|
- top
|
||
|
|
attributes:
|
||
|
|
required:
|
||
|
|
- uid # canonical: username
|
||
|
|
- cn # canonical: displayName
|
||
|
|
- sn # canonical: surname (may be set to displayName if absent)
|
||
|
|
optional:
|
||
|
|
- mail # canonical: email
|
||
|
|
- memberOf # back-reference to group membership
|
||
|
|
forbidden: []
|
||
|
|
naming_attr: uid
|
||
|
|
examples:
|
||
|
|
- dn: "uid=alice,ou=users,dc=netkingdom,dc=local"
|
||
|
|
uid: alice
|
||
|
|
cn: "Alice Example"
|
||
|
|
sn: Example
|
||
|
|
mail: alice@example.com
|
||
|
|
|
||
|
|
groups:
|
||
|
|
dn: "ou=groups,dc=netkingdom,dc=local"
|
||
|
|
description: "User groups"
|
||
|
|
object_classes:
|
||
|
|
required:
|
||
|
|
- groupOfNames
|
||
|
|
- top
|
||
|
|
attributes:
|
||
|
|
required:
|
||
|
|
- cn # canonical: name
|
||
|
|
- member # list of member DNs
|
||
|
|
optional:
|
||
|
|
- description
|
||
|
|
forbidden: []
|
||
|
|
naming_attr: cn
|
||
|
|
examples:
|
||
|
|
- dn: "cn=admins,ou=groups,dc=netkingdom,dc=local"
|
||
|
|
cn: admins
|
||
|
|
member:
|
||
|
|
- "uid=alice,ou=users,dc=netkingdom,dc=local"
|
||
|
|
|
||
|
|
clients:
|
||
|
|
dn: "ou=clients,dc=netkingdom,dc=local"
|
||
|
|
description: "OIDC client registrations"
|
||
|
|
object_classes:
|
||
|
|
required:
|
||
|
|
- inetOrgPerson
|
||
|
|
- top
|
||
|
|
attributes:
|
||
|
|
required:
|
||
|
|
- uid # canonical: clientId
|
||
|
|
- cn # canonical: displayName
|
||
|
|
optional:
|
||
|
|
- description
|
||
|
|
forbidden: []
|
||
|
|
naming_attr: uid
|
||
|
|
|
||
|
|
validation_rules:
|
||
|
|
structural:
|
||
|
|
- name: valid_dn_structure
|
||
|
|
description: "All DNs must conform to the base_dn and OU layout above."
|
||
|
|
- name: required_attributes_present
|
||
|
|
description: "Every entry must carry all required attributes for its OU."
|
||
|
|
- name: no_unknown_attributes
|
||
|
|
description: "No attributes outside the allowed set may appear."
|
||
|
|
- name: valid_group_memberships
|
||
|
|
description: "All member values must be non-empty valid DNs."
|
||
|
|
semantic:
|
||
|
|
- name: referenced_users_exist
|
||
|
|
description: "Every user ID referenced in group members must exist."
|
||
|
|
- name: no_cyclic_groups
|
||
|
|
description: "Groups may not contain other group IDs as members."
|
||
|
|
- name: usernames_unique
|
||
|
|
description: "The uid attribute must be unique across ou=users."
|
||
|
|
- name: email_format_valid
|
||
|
|
description: "mail, when present, must be a valid RFC 5322 address."
|