LDAP ==== We expose some (readonly) information about our users via LDAP. This information is meant to be used by other CdE-brewed and third-party-tools living in the CdE ecosystem to - authenticate and - authorize users To achieve the latter, we heavily build upon ldap groups to determine the access level of a given user. For the sake of simplicity, the information provided by LDAP is read-only. To modify user attributes or group membership, the CdEDB shall be used directly. LDAP Tree --------- Our LDAP Tree looks as follows:: dc=cde-ev,dc=de ├── ou=duas │ ├── cn=test │ └── ... ├── ou=groups │ ├── ou=assembly-presiders │ │ ├── cn=presiders-1 │ │ └── ... │ ├── ou=event-orgas │ │ ├── cn=orgas-1 │ │ └── ... │ ├── ou=ml-moderators │ │ ├── cn=42-owner@lists.cde-ev.de │ │ └── ... │ ├── ou=ml-subscribers │ │ ├── cn=42@lists.cde-ev.de │ │ └── ... │ └── ou=status │ ├── cn=is_active │ ├── cn=is_assembly_admin │ ├── cn=is_assembly_realm │ ├── cn=is_cde_admin │ ├── cn=is_cde_realm │ ├── cn=is_cdelokal_admin │ ├── cn=is_core_admin │ ├── cn=is_event_admin │ ├── cn=is_event_realm │ ├── cn=is_finance_admin │ ├── cn=is_member │ ├── cn=is_ml_admin │ ├── cn=is_ml_realm │ └── cn=is_searchable └── ou=users ├── uid=1 └── ... LDAP Entities ------------- Groups ^^^^^^ A group represent a collection of users. They are used to represent some attributes (status attributes like ``is_active``, mailinglist subscriptions etc) of users in an LDAP-fashion. Each group implements the ``groupOfUniqueNames`` objectclass and has the following attributes: - ``cn`` ID for events and assemblies; list address for mailinglists; some bools of ``core.personas`` - ``description`` follows the pattern "``title`` (``shortname``)" for events, assemblies and mailinglist. - ``uniqueMember`` the DN of one group member Users ^^^^^ An LDAP user represents an user account of the CdEDB. Each user implements the ``inetOrgPerson`` objectclass and has the following attributes: - ``cn`` their full name: "``given_names`` ``family_name``" - ``displayName`` the full name which should be used to address this user, constructed via the same logic used in the CdEDB, including a family name. - ``givenName`` the first name of the user (CdEDBs ``given_names``). - ``sn`` the last name of the user (CdEDBs ``family_name``). - ``mail`` the users mail address. This may also be used as login username, since the CdEDB enforces uniqueness here. - ``uid`` the CdEDB-ID without letters or checksum. - ``userPassword`` the password this user has set in the CdEDB. - ``memberOf`` listing all dns of the groups this user is a member of. DirectoryUserAgents ^^^^^^^^^^^^^^^^^^^ To access the LDAP with a third-party tool, the tool needs to authenticate itself against the LDAP. Sadly, there are great differences: Some tools use a static user from within the LDAP to retrieve their data, others use the credentials of the user they are currently serving, some do a mixture of both. In general, we advise to use the second method (use the user credentials) to retrieve data from LDAP. However, to grant compatibility, each tool which **requires** an own LDAP user get an own entry inside ``ou=duas``. Sadly, there is no common specification of duas with a common accepted objectclass. Therefore, we (ab)use the ``person`` objectclass for them, containing the following attributes: - ``cn`` a name which must be unique for each dua - ``userPassword`` the password they use to bind against LDAP Security Restrictions --------------------- The following restrictions were applied to protect the data inside the LDAP against unprivileged access: - Users may only access exactly their own data. - Duas can access every user data, exept for their group memberships. Group access is only provided to some duas manually. - Password hashes can not be retrieved from LDAP, only authentication inside LDAP is allowed.