xdocs/howto/ldap-howto.xml - turbine-core - Git at Google

 <?xml version="1.0"?>

 <!--
  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.
 -->

 <document>

  <properties>
    <title>LDAP Howto</title>
    <author email="frank.nolden@maxware.nl">Frank W. Nolden</author>
    <author email="jon@latchkey.com">Jon S. Stevens</author>
  </properties>

  <body>

  <section name="LDAP Details">
   <p>
 These are the details on how we came up with this schema for
 putting the user-group-permission tables in an LDAP directory. We want to
 start with the fact that for the schema proposed we have taken all new
 objectClasses and Attributes preceded by turbine to indicate that they are
 Turbine specific. We have thought about using the standard and available
 LDAP objectClasses and attributes, but finally decided to start the
 discussion with the turbine stuff.
 </p>
 <p>
 We also had to make some assumptions regarding the present use of the
 user-group-permission tables. This gave us the following schema:
   </p>
  </section>
  <section name="Schema">
 <source>
 -- Attribute types --

 ( 1000.1.1
   NAME 'turbineGroupMember'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
 )

 ( 1000.1.2
   NAME 'turbineObjectData'
   DESC ''
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
 )

 ( 1000.1.3
   NAME 'turbinePermission'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 )

 ( 1000.1.4
   NAME 'turbineRoleMember'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
 )

 ( 1000.1.5
   NAME 'turbineUserCreationDate'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
   SINGLE-VALUE
 )

 ( 1000.1.6
   NAME 'turbineUserFirstName'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 )

 ( 1000.1.7
   NAME 'turbineUserLastLogon'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
   SINGLE-VALUE
 )

 ( 1000.1.8
   NAME 'turbineUserLastModifiedTime'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
   SINGLE-VALUE
 )

 ( 1000.1.9
   NAME 'turbineUserLastName'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 )

 ( 1000.1.10
   NAME 'turbineUserMailAddress'
   DESC ''
   EQUALITY caseIgnoreIA5Match
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 )

 ( 1000.1.11
   NAME 'turbineUserPassword'
   DESC ''
   EQUALITY caseExactMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   SINGLE-VALUE
 )

 ( 1000.1.12
   NAME 'turbineUserUniqueId'
   DESC ''
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   SINGLE-VALUE
 )
 -- Object classes --

 ( 1000.2.1
   NAME 'turbineGroup'
   DESC 'Turbine group'
   SUP top
   AUXILIARY
   MAY ( turbineGroupMember $ turbineObjectData )
 )

 ( 1000.2.2
   NAME 'turbineRole'
   DESC 'Turbine role'
   SUP top
   AUXILIARY
   MAY ( turbineObjectData $ turbinePermission $ turbineRoleMember )
 )

 ( 1000.2.3
   NAME 'turbineUser'
   DESC 'Turbine user'
   SUP top
   AUXILIARY
   MUST ( turbineUserUniqueId )
   MAY ( turbineObjectData $ turbineUserCreationDate $ turbineUserFirstName $
 turbineUserLastLogon $ turbineUserLastModifiedTime $ turbineUserLastName $
 turbineUserMailAddress $ turbineUserPassword )
 )
 </source>
  </section>
 <section name="More Details">
 <p>
 We have turbineRole that can have many turbinePermission entries. These
 are DN pointing to the turbinePermission objects. turbineUser will hold
 all user related information. turbineGroup can hold in the
 turbineGroupMember DNs of turbineUser objects. Thus having multiple
 users being member of a group. There is however no relation with role at
 this stage. The relation role - user is stored in the turbineRole
 having multiple DNs in turbineRoleMember. Then we have a user - role
 relation thus giving user permission via roles they can perform. There
 is no relation between role - user - group in one record. This could be
 possible with the DB model, but we could you put this dependency in the
 hierarchical structure of a directory. With the separate user - role and
 user - group relations we thought we'd have the most desired relations.
 </p>
 <p>
 Please note that the Object Identifiers (OID) in this example are not
 real ones. When we go for the turbine objectClasses and attributes
 Turbine (or Apache) have to register (if they not already have) their
 own OID starting point in the IANA tree. We are fully open for discussion
 and appreciate your feedback on the mailing list.
 </p>
 </section>
  </body>
 </document>
	<?xml version="1.0"?>

	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->

	<document>

	<properties>
	<title>LDAP Howto</title>
	<author email="frank.nolden@maxware.nl">Frank W. Nolden</author>
	<author email="jon@latchkey.com">Jon S. Stevens</author>
	</properties>

	<body>

	<section name="LDAP Details">
	<p>
	These are the details on how we came up with this schema for
	putting the user-group-permission tables in an LDAP directory. We want to
	start with the fact that for the schema proposed we have taken all new
	objectClasses and Attributes preceded by turbine to indicate that they are
	Turbine specific. We have thought about using the standard and available
	LDAP objectClasses and attributes, but finally decided to start the
	discussion with the turbine stuff.
	</p>
	<p>
	We also had to make some assumptions regarding the present use of the
	user-group-permission tables. This gave us the following schema:
	</p>
	</section>
	<section name="Schema">
	<source>
	-- Attribute types --

	( 1000.1.1
	NAME 'turbineGroupMember'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
	)

	( 1000.1.2
	NAME 'turbineObjectData'
	DESC ''
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
	)

	( 1000.1.3
	NAME 'turbinePermission'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	)

	( 1000.1.4
	NAME 'turbineRoleMember'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
	)

	( 1000.1.5
	NAME 'turbineUserCreationDate'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
	SINGLE-VALUE
	)

	( 1000.1.6
	NAME 'turbineUserFirstName'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	)

	( 1000.1.7
	NAME 'turbineUserLastLogon'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
	SINGLE-VALUE
	)

	( 1000.1.8
	NAME 'turbineUserLastModifiedTime'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
	SINGLE-VALUE
	)

	( 1000.1.9
	NAME 'turbineUserLastName'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	)

	( 1000.1.10
	NAME 'turbineUserMailAddress'
	DESC ''
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	)

	( 1000.1.11
	NAME 'turbineUserPassword'
	DESC ''
	EQUALITY caseExactMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	)

	( 1000.1.12
	NAME 'turbineUserUniqueId'
	DESC ''
	EQUALITY caseIgnoreMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	)
	-- Object classes --

	( 1000.2.1
	NAME 'turbineGroup'
	DESC 'Turbine group'
	SUP top
	AUXILIARY
	MAY ( turbineGroupMember $ turbineObjectData )
	)

	( 1000.2.2
	NAME 'turbineRole'
	DESC 'Turbine role'
	SUP top
	AUXILIARY
	MAY ( turbineObjectData $ turbinePermission $ turbineRoleMember )
	)

	( 1000.2.3
	NAME 'turbineUser'
	DESC 'Turbine user'
	SUP top
	AUXILIARY
	MUST ( turbineUserUniqueId )
	MAY ( turbineObjectData $ turbineUserCreationDate $ turbineUserFirstName $
	turbineUserLastLogon $ turbineUserLastModifiedTime $ turbineUserLastName $
	turbineUserMailAddress $ turbineUserPassword )
	)
	</source>
	</section>
	<section name="More Details">
	<p>
	We have turbineRole that can have many turbinePermission entries. These
	are DN pointing to the turbinePermission objects. turbineUser will hold
	all user related information. turbineGroup can hold in the
	turbineGroupMember DNs of turbineUser objects. Thus having multiple
	users being member of a group. There is however no relation with role at
	this stage. The relation role - user is stored in the turbineRole
	having multiple DNs in turbineRoleMember. Then we have a user - role
	relation thus giving user permission via roles they can perform. There
	is no relation between role - user - group in one record. This could be
	possible with the DB model, but we could you put this dependency in the
	hierarchical structure of a directory. With the separate user - role and
	user - group relations we thought we'd have the most desired relations.
	</p>
	<p>
	Please note that the Object Identifiers (OID) in this example are not
	real ones. When we go for the turbine objectClasses and attributes
	Turbine (or Apache) have to register (if they not already have) their
	own OID starting point in the IANA tree. We are fully open for discussion
	and appreciate your feedback on the mailing list.
	</p>
	</section>
	</body>
	</document>