-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathLDAP
244 lines (220 loc) · 7.37 KB
/
LDAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
LDAP Schema
===========
Here's the LDAP schema used by EZID. For its core processing EZID
uses the following classes, which are auxiliary, not structural. As a
consequence, for the most part (caveats below) EZID makes no
assumptions about the structural typing of or relationships between
LDAP entries.
object class ezidUser:
Describes an EZID user. Attributes:
uid
Username, e.g., "dryad". Must not contain spaces.
arkId
The user's ARK identifier, e.g., "ark:/99166/p9bg2h891". Must
begin with "ark:/" and must be in canonical form.
ezidOwnerGroup
The DN of the user's owner group, e.g.,
"ou=CDL,ou=ezid-groups,ou=uc3,dc=cdlib,dc=org". An LDAP entry may
be both an EZID user and an EZID group, and this attribute may be
self-referential.
ezidCoOwners
List of uids of EZID users that may modify this user's
identifiers. The uids must be separated by spaces and/or commas,
e.g., "manny,moe,jack". Optional.
isEzidGroupAdministrator
Optional boolean flag; if present and true, the user is an
administrator of its EZID group. Not yet used by EZID.
isEzidRealmAdministrator
Optional boolean flag; if present and true, the user is an
administrator of its EZID realm. Not yet used by EZID.
shoulderList
Optional. If present, list of the identifier shoulders to which
the user has access, or "NONE". If a list is given, it must be a
subset of the user's group's shoulder list and follow the same
syntax. If not present, the user inherits its group's shoulder
list. Not yet used by EZID.
object class ezidGroup:
Describes an EZID group. Attributes:
gid or uid
The group name, e.g., "cdl". Must not contain spaces.
groupArkId or arkId
The group's ARK identifier, e.g., "ark:/99166/p96q1sg5w". Must
begin with "ark:/" and must be in canonical form. The user and
group identifiers for a given user must be different.
shoulderList
List of the identifier shoulders to which the group has access, or
"NONE". The shoulders must be separated by spaces, e.g.,
"ark:/13030/c7 doi:10.5060/D2".
agreementOnFile
Optional boolean flag; not used by EZID itself.
crossrefEnabled
Optional boolean flag; if present and true, the group is permitted
to register identifiers with CrossRef.
crossrefMail
Optional. The email address(es) to which CrossRef errors and
warnings (if crossrefSendMailOnError is true) and other reports
should be sent.
crossrefSendMailOnError
Optional boolean flag; if present and true, errors and warnings
received from CrossRef are mailed.
ezidRealm
The DN of the group's EZID realm. Not yet used by EZID.
object class ezidRealm:
Describes an EZID realm. Not yet used by EZID. Attributes:
name
The realm name, e.g., "Purdue".
Now for the caveats. EZID assumes that user DNs can be formed by
inserting usernames into a common template (thus assuming that all
users share some structural parent).
Also, for password and user account (or "profile") management, EZID
assumes that users are of structural class inetOrgPerson, specifically
that users have passwords and have the standard LDAP attributes
givenName, sn, cn, mail, telephoneNumber, and description. Groups are
assumed to have a description attribute (such as is supplied by the
organization and organizationalUnit structural classes).
Appendix
--------
The formal LDIF declarations are as follows (note that the uid
attribute is predefined):
attributeTypes: (
gid-oid
NAME 'gid'
SUP uid
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
arkId-oid
NAME 'arkId'
DESC 'ARK identifier, must begin with ark:/'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
groupArkId-oid
NAME 'groupArkId'
DESC 'ARK identifier, must begin with ark:/'
SUP arkId
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
ezidOwnerGroup-oid
NAME 'ezidOwnerGroup'
DESC 'EZID owner group'
EQUALITY distinguishedNameMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
ezidCoOwners-oid
NAME 'ezidCoOwners'
DESC 'List of uids separated by spaces and/or commas'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
shoulderList-oid
NAME 'shoulderList'
DESC 'List of identifier shoulders separated by spaces'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
agreementOnFile-oid
NAME 'agreementOnFile'
DESC 'Present and true if an agreement is on file'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
crossrefEnabled-oid
NAME 'crossrefEnabled'
DESC 'If true, registration of identifiers with CrossRef is enabled'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
crossrefMail-oid
NAME 'crossrefMail'
DESC 'Email address(es) to which CrossRef errors and warnings will be sent'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
USAGE userApplications )
attributeTypes: (
crossrefSendMailOnError-oid
NAME 'crossrefSendMailOnError'
DESC 'If true, errors and warnings received from CrossRef are mailed'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
isEzidGroupAdministrator-oid
NAME 'isEzidGroupAdministrator'
DESC 'If present and true, the user is an administrator of its EZID group'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
isEzidRealmAdministrator-oid
NAME 'isEzidRealmAdministrator'
DESC 'If present and true, the user is an administrator of its EZID realm'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )
attributeTypes: (
ezidRealm-attr-oid
NAME 'ezidRealm'
DESC 'EZID realm to which group belongs'
EQUALITY distinguishedNameMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE userApplications )
objectClasses: (
ezidUser-oid
NAME 'ezidUser'
DESC 'EZID user'
SUP top
AUXILIARY
MUST ( objectClass $ arkId $ uid $ ezidOwnerGroup )
MAY ( ezidCoOwners $ isEzidGroupAdministrator $ isEzidRealmAdministrator $
shoulderList ) )
objectClasses: (
ezidGroup-oid
NAME 'ezidGroup'
DESC 'EZID group'
SUP top
AUXILIARY
MUST ( objectClass $ shoulderList )
MAY ( groupArkId $ arkId $ uid $ gid $ agreementOnFile $ crossrefEnabled $
crossrefMail $ crossrefSendMailOnError $ ezidRealm ) )
objectClasses: (
ezidRealm-oid
NAME 'ezidRealm'
DESC 'EZID realm'
SUP top
AUXILIARY
MUST ( objectClass $ name ) )