Edit Rename Changes History Upload Download Back to Top

LDAP

The OpenSkills LDAP service will be the primary source of authentication and authorization information within OpenSkills. The service will know how members can identify themselves, and what openskills services they may use.

The service will be implmented using Slaps running in the membership management system. It may be that we also implement an OpenLDAP server to replicate from the primary Slaps service.

The LDAP service will be available on ldap.openskills.org.

LDAP Schema Elements - an introduction

LDAP (Lightweight Directory Access Protocol) is a protocol specification, much as SQL 98 is a specification. Just as PostgreSQL implements SQL 98, OpenLDAP implements LDAPv3. LDAP defines a protocol for accessing a database.

To understand the OpenSkills LDAP Directory structure, we need to understand a little about how LDAP schemas are described.

The LDAP equivalent of a row in an RDB, or an object in an ODB is called an Entry. An LDAP database is a tree of entries, with each entry having a single parent (except the root entry), and zero or more children.

The LDAP equivalent of an RDB column, or an ODB instance variable, is an attribute. Attributes have a name and data type.

Every entry can be identified by name. The absolute name of an entity is known as the Distiguished Name (or DN) and is the concatenation of the names of all its parents up to the root of the tree. The local name of an entry is known as the Relative Distiguished Name (or RDN). Every DN must be globally unique, which boils down to: an entry can not have the same name as one of its siblings.

An entry must be a realization of one or more objectClasses. A objectClass is similar to an RDB table definition, or an ODB class. The objectClass defines the attributes in entries which are of that class. Because entries can realize more than one objectClass, this looks a little like multiple inheritance, but really, as will be seen, it is much simpler.

The OpenSkills LDAP Directory Structure

The OpenSkills Directory will take the form of a shallow hierarchy. The top nodes will be dc=openskills,dc=org and beneath these will be divisions for:

ou=people: entries for any persons registered with OpenSkills

ou=devices: entries for hosts and other devices that form part of the OpenSkills.org infrastructure

The principal advantage of dividing the tree at this level is that it allows the addition of further subtrees to the Directory later on. The advantages of keeping the tree fairly flat are simplicity and manageability, as well as avoiding having too much information visible in the structure of the tree itself.

The OpenSkills LDAP Schema

Entries within this subtree will hold information about anyone registered with OpenSkills. This will include contact information, location, OpenSkills UID, encrypted password(s), as well as attributes for membership status, service access etc.

To this end, an objectClass "openSkillsMember" will be required, extending inetOrgPerson with fields not already available in the existing objectClasses person and inetOrgPerson. (more on this soon -- patrick)

Entries within this subtree may include information about services available on each host, status, location etc. An objectClass openSkillsDevice may be created perhaps extending an existing objectClass as necessary.

Using LDAP Directories for an organisation's Global Address Book

It is possible to utilise an updateable global address book for your organisation accessible via Ximian's Evolution which has read and write access to LDAP repositories. This has been successfully implemented at a number of organisations. Setup is easy and the cost (other than IT service costs) is zero. You will need OpenLDAP and Ximian Evolution.

Glossary

Installing LDAP

To get LDAP running the following information sources were used:

Useful LDAP Tools


Edit Rename Changes History Upload Download Back to Top