Page MenuHomeDevCentral

Design LDAP schema for Nasqueron login and identity services
Open, Needs TriagePublic

Description

Nasqueron doesn't currently have a unified LDAP server.

Goals

  • Store data about users, both humans and machine accounts
  • Authenticate users

Specific needs

  • What information do we include in the LDAP?
    • Do we allow each application to request LDAP fields?
    • Espace Win experience showed success sharing between phpBB and our IRC eggdrop fields like interests or location
    • In another hand, most applications tend to use different format to store the same information, and maintain patch is cumbersome
  • How do we interact with projects we collaborate with?

Schema design

The Active Directory and Novell eDirectory schemas give a good idea how to store successfully accounts information.

Other well known schemas are:

We can design a schema from scratch or pick one of those, and extend it.

OpenLDAP supports out of the box some of those.

Pitfalls

  • Applications can reject certificates using SHA-1 signatures, we should ensure X.509 certificates don't use them.

Event Timeline

ASN.1 object identified (OID)

Private Enterprise Numbers are identifiers that can be used in SNMP configurations, in LDAP configurations, and wherever the use of an ASN.1 object identifier (OID) is appropriate. They are maintained by IANA.

The PEN prefix for Nasqueron is 1.3.6.1.4.1.60024.

LDAP prefixes are assigned as so:

PrefixPurpose
1.3.6.1.4.1.60024.100.LDAP extensions
1.3.6.1.4.1.60024.100.1.LDAP attributes
1.3.6.1.4.1.60024.100.2.LDAP objectClasses