Create LDAP schema

[rgara]

I *just* started researching LDAP for a new project where I'll have to authenticate millions of users. Its slowly coming together, although I'm still fuzzy on how to build my hierarchical schema. From what I gather, it happens "automatically" when I add entries in the LDIF format. So I can play with that...

The biggest issue I'm having is how to create a schema for my particular business case. Basically, there is my company which will have employees with userIDs, passwords, and roles. I'll have several hundred of those.

At the next level, I have our customers, which are each businesses. Currently, that number is in the high 600's and is forecast to grow into the 1,000's. Each of those businesses has employees that will need to store UserID's, passwords, and roles. This group will number in the thousands.

Finally, each business has its own customers. Each customer will have a user ID, pwd and associated roles. An interesting twist, here, is that the userID is only unique to a business. What I mean is that business A could have a userID of jsmith, and business B, and business C could as well. So userID + business ID would be globally unique. I'll have several million of these entries.

Is LDAP really what I want? Sometimes, when reading through the docs I feel that LDAP is too complicated for what I'm trying to do and a simple webservice/ realtional DB with custom code would do the trick. On the other hand, I don't want to reinvent the wheel and it seems like LDAP should do the trick.

Can I do what is described above with the default schema objects?

Thanks in advance.

 

[WhoKilledKenny]

I'm still fuzzy on how to build my hierarchical schema.

For clarification, are you talking about and Active Directory Structure? The word Schema is throwing me for a loop. Your definition of Schema may be different from how an Admin or DBA defines Schema.

What I mean is that business A could have a userID of jsmith, and business B, and business C could as well. So userID + business ID would be globally unique. I'll have several million of these entries.

The only way I could see this requirement fulfilled is by using a multi-domain AD. For example businessA.Corp.com, businnesB.Corp.com, and businessC.Corp.com. All business domians as child domains of Corp.com. AccountNames must be unique in a domain.

Jesse Hamrick

http://www.powershellpro.com

 

[rgara]

Sorry for the terminology confusion. Like I said previously, I am very new to LDAP. I used the word Schema because several articles I've read refer to "LDAP Schema Design". I took it to mean the design of the hierarchical tree of entries.

Other info that may help clarify: I'll be using LDAP on Linux (OpenLDAP) and the only client(s) that will use it for authenication are web sites (Ruby on Rails apps). ActiveDirectory is a windows technology, right? We won't be doing anything with windows.

Conceptually, I see the hierarchical LDAP tree I need to be just what you described. But there are issues I can't figure out how to get around. For example, I won't have a domain name to associate with every client. So I'll probably need to use the name. In fact, I'd rather use the account ID instead so I don't get into spelling issues. I'm not sure what ObjectClasses I'll need to build that.

Furthermore, I don't have a handle on what the LDIF entry would look like to put an entry into such a tree.

I really appreciate your feedback. Thank You!

 

[paladin256]

This book might be helpful to you, it was to me.

http://www.oreilly.com/catalog/ldapsa/index.html

Weblink

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

Here is a LDAP sample entry.

# Barbara's Entry
dn: cn=Johnathan D Doe,dc=example,dc=com
cn: Johnathan D Doe
cn: John Doe
objectClass: person
sn: Doe

 

[rgara]

Thanks for the note. I ended up buying the LDIF chapter from O'Reilly.

So I have my server running and I created a skeleton schema just to see if I can get something to work. What I have below *seems* to work. Although I don't know enough about this stuff to know if I'm doing something obscene or not.

I'd really like to store the customer ID at the "actual customer" level of the tree, but after reading through the organization and organizationalUnit docs on the net it doesn't seem like that's possible. Is the only possibility to use that ID instead of the name? In other words, instead of

dn: ou=example-customer-1, ou=business-entity, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: example-customer-1

Do this (where 123456 is example-customer-1's account ID)


dn: ou=123456, ou=business-entity, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: 123456

*********************************
*** Here is my quick test ****
*********************************

# Root node
dn: dc=my-domain,dc=com
objectclass: organization
objectclass: dcObject
o: my-domain.com
dc: my-domain

# Container to hold customers
dn: ou=business-entity, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: business-entity

# Actual customer #1
dn: ou=example-customer-1, ou=business-entity, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: example-customer-1

# Actual customer #2
dn: ou=example-customer-2, ou=business-entity, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: example-customer-2

#example-customer-1 has its own customers.
dn: cn=John Doe, ou=example-customer-1, ou=business-entity, dc=my-domain,dc=com
objectclass: inetOrgPerson
cn: John Doe
sn: Doe
uid: jdoe

#example-customer-2 has the exact same customer
dn: cn=John Doe, ou=example-customer-2, ou=business-entity, dc=my-domain,dc=com
objectclass: inetOrgPerson
cn: John Doe
sn: Doe
uid: jdoe

 

[rgara]

I think I have something that will work. I really got stuck on trying to specify roles. I spent a ton of time researching and came to the realization that LDAP doesn't do roles well. The closest thing I could find was groupOfUniqueNames. However, I read some Netscape docs indicating a schema like this would not scale well if the group contained 100's of thousands of members. As noted in an earlier post, I'll probably have millions.

I also saw something that would fit really well called inetUser. That objectClass has a memberOf attribute and the examples I saw where used in a login scenerio with users and groups. Problem is, I can't find that schema definition anywhere. It seems like its' proprietary to iPlanet.

At any rate, I cobbled together this. I have a node for all the roles. I can query that to get list of all the role DN's that exist in the system. Then I take that string and set it in the employeeType field. I'm a little concerned because I'm re-using the employeeTYpe field for something the schema developer's probably intended.

Comments wanted



# Root node
dn: dc=my-domain,dc=com
objectclass: organization
objectclass: dcObject
o: my-domain.com
dc: my-domain

#####################################
#### ROLES ####
#####################################

# Create a container for all the roles
dn: ou=roles, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: roles

# Now create all the roles.
dn: cn=WEB_USER, ou=roles, dc=my-domain,dc=com
objectclass: organizationalRole
cn: WEB_USER
description: Role associated with users that can browse basic functionality on the web site

dn: cn=WEB_ADMIN, ou=roles,dc=my-domain,dc=com
objectclass: organizationalRole
cn: WEB_ADMIN
description: Role associated with web site administrators

#####################################
#### OUR CUSTOMERS ####
#####################################

# Container to store our customers
dn: ou=business-entities, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: business-entities
description: This branch contains all of our customers

# Add a customer. The ou is the customer ID, the description contains the customer's business name
dn: ou=12345, ou=business-entities, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: 12345
description: example-customer-1

# Add another customer
dn: ou=12346, ou=business-entities, dc=my-domain,dc=com
objectclass: organizationalUnit
ou: 12346
description: example-customer-2

######################################
#### OUR CUSTOMER'S OWN CUSTOMERS ####
######################################

# Note that We are using 'employeeType' to store roles

#example-customer-1 has its own customers. Those customers have a login, SHA encrypted password, and t
hey have roles
dn: uid=jdoe, ou=12345, ou=business-entities, dc=my-domain,dc=com
objectclass: inetOrgPerson
cn: John Doe
sn: Doe
uid: jdoe
userPassword: {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
employeeNumber: 0000001
displayName: Mr. John Doe
employeeType: cn=WEB_ADMIN, ou=roles,dc=my-domain,dc=com
employeeType: cn=WEB_USER, ou=roles, dc=my-domain,dc=com


#Add a customer to example-customer-2
dn: uid=jdoe, ou=12346, ou=business-entities, dc=my-domain,dc=com
objectclass: inetOrgPerson
cn: John Doe
sn: Doe
uid: jdoe
userPassword: {SHA}MnJ37bUexAyoh4hd3C6d3Lk/cQc=
employeeNumber: 0000002
displayName: Dr. John Doe
employeeType: cn=WEB_USER, ou=roles, dc=my-domain,dc=com