SRAM provides an LDAP tree for each application, only containing the the entities that are available to that application.
The four entities types are:
- People: Users of SRAM, expressed as
inetOrgPerson(with additional attributes/schemas). Users can be members of groups and collaborations. - Collaborations, expressed as
organization(with additional attributes/schema). - Groups of collaboration members, expressed as
groupOfMembers(with additional attributes/schema). - Applications, expressed as
organization(with additional attributes/schemas)
Entities
Users
Users that are member of the collaboration are present in its ou=People subtree.
| Attribute | Value | Example | Remarks |
|---|---|---|---|
| objectClass |
| Fixed value; ldapPublicKey is only present if a sshPublicKey value is defined; the other values are always present. | |
| uid | Unix-type username and main dn | laurapage12 | Safe to us in Unix-environments; contains no "weird" characters; maximum of 16 characters. Unique in the SRAM platform. |
| cn | Identifier | 47c1c59a3b098d55beaaf555083ff88d9bcba524@sram.eduteams.org | Value is identical to edupersonUniqueID. |
| displayName | Full name | Laura Page, PhD | |
| givenName | First name | Laura | |
| sn | Last name | Page | |
| Email address | laura.page@physics.uniharderwijk.nl | User's prefered email address; single-valued. | |
| edupersonUniqueID | Main platform identifier, also used for cn | 47c1c59a3b098d55beaaf555083ff88d9bcba524@sram.eduteams.org | Platform identifier; persistent, non-reassignable, globally unique and scoped to SRAM. Will not change, even if the user switches to a different login account. |
| eduPersonPrincipalName | scoped identifier | laurapage12@sram.surf.nl | Uid scoped to the SRAM platform. |
| eduPersonScopedAffiliation | Platform role role | member@acc.sram.eduteams.org | Fixed value. |
| voPersonExternalID | Identity as asserted by home institution | lpage23@uniharderwijk.nl | Based on the eduPersonPrincipalName sent by the user's home institution. |
| voPersonExternalAffiliation | Affiliation at home institution | | Based on the eduPersonScopedAffiliation sent by the user's home institution. |
| sramInactiveDays | Number of days the user has not logged in (rounded down) | Value can be:
| |
| sshPublicKey | SSH public key | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERo5YJE9lnW1hJzfeHKzrZ04IpJGqOIwL+nyhsfTBKi laura@local | SSH public key uploaded by the user. Can be multi-valued. |
| voPersonPolicyAgreement | The url of the application AUP the user has agreed with | voPersonPolicyAgreement;time-1516593822: http://exmaple.com/AUP | The value of this attribute contains only the URL of the AUP to which the user has agreed; the time of agreement is recorded in an attribute option. See the voPerson specification for more information. If you want to synchronise this value, you need to add olcAttributeOptions: "time-" under cn=config for OpenLDAP deploys. |
| voPersonStatus | active or expired | expired | Expired if the membership of the users for this collaboration has expired or if the users has been suspended from SRAM for inactivity between 12 and 15 months. Note that for the flat ldap tree, a user is set to |
| memberOf | Group memberships | in the in the | The If a user is expired, their group memberships are removed. Specifically, they will still exist under NB: Operational attribute, so not shown by default on most LDAP clients. |
Collaboration
Collaborations are expressed as organizations in the ldap. This structure is only present in the ordered subtree; in the flat subtree, this information is expressed in the *:@all groups
| Attribute | Value | Example | Remarks |
|---|---|---|---|
| objectClass | organization extensibleObject | Fixed value. | |
| o | Identifier |
| identifier consists of the short name of the organization, and the short name of the CO itself, separated by a : |
| uniqueIdentifier | Identifier | da0c3a59-436c-4977-b6d2-981e762c1877 | Unique identifier of the collaboration |
| displayName | Full name of the collaboration | My first CO | unbounded utf8-string as entered in the user interface |
| description | Description of the collaboration | In the "My first CO" we work together on all kinds of stuff | unbounded utf8-string as entered in the user interface |
| businessCategory | Collaboration labels | org_1:label_1 | Labels scoped to an organization and collaboration. |
| labeledURI | Links to CO-specific information. Consist of a URL and a label describing the URL | https://sram.surf.nl/api/images/collaborations/2bf516d8-f70b-4741-a251-e561eccd96ae logo https://sbs.scz-vm.net/collaborations/1 sbs_url | The following labels are supported:
|
| Contact email address(es) of the CO admins | piet.admin@my_co.example.edu | Contains the email addresses of all CO admins. |
Groups
Groups within a collaboration are present in the ou=Groups subtree.
| Attribute | Value | Example | Remarks |
|---|---|---|---|
| objectClass | GroupOfMembers ExtensibleObject | Fixed value. | |
cn | Identifier | in the in the | The components of the group name can only consist of letters, numbers, hyphen and underscore. |
| displayName | Display name | Group Number One | |
| description | Description | This Group is the first test group. You can you it to test stuff in an application. | |
| uniqueIdentifier | Unique identifier for the group | d5738a44-1173-22a8-8769-81722467bbe7 | Unique, persistent identifier for the group. |
| businessCategory | Collaboration labels | Only for the @all groupsorg_1:label_1 | Labels scoped to an organization and collaboration. |
| member | dn of members of the group | in the ordered subtree: in the flat subtree: |
Applications
| Attribute | Value | Example | Remarks |
|---|---|---|---|
| objectClass |
| Fixed value. | |
dc | Identifier | Equal to the entityid or client_id of the application | Usually a uri or urn |
| labeledURI | AUP url |
| Only present if provided by the application |
Schemas and extra configuration
In addition to the standard RFC4519 and RFC4524 LDAP schemas, the following non-standard schemas are used in SRAM:
| objectClass | attributes | reference | schema | ldif |
|---|---|---|---|---|
| eduPerson | eduPersonUniqueID eduPersonPrincipalName eduPersonScopedAffiliation | https://wiki.refeds.org/display/STAN/eduPerson | eduperson.ldif | |
| voPerson | voPersonExternalID voPersonExternalAffiliation | https://voperson.org/ | voperson.schema | voperson.ldif |
| sramPerson | sramInactiveDays | sramPerson.ldif | ||
| ldapPublicKey | sshPublicKey | https://github.com/AndriiGrytsenko/openssh-ldap-publickey | ldappublickey.schema | ldappublickey.ldif |
| groupOfMembers | https://tools.ietf.org/id/draft-howard-rfc2307bis-02 | |||
| voPersonPolicyAgreement | In order to properly synchronise the user attribute voPersonPolicyAgreement with OpenLDAP you need to add a "time-" value to olcAttributeOptions under cn=config |
Flat and ordered subtrees
All data (users, groups and collaborations) is duplicated in two subtrees: ordered and flat. Different applications and needs might suit on or the other better, for example: in the flat tree each user occurs only once.
dc=<service_id>,dc=services,dc=sram,dc=surf,dc=nl cn=admin dc=ordered o=<org_1>:<co_1> ou=Groups cn=@all cn=<group_1> cn=<group_2> ... ou=People uid=<user_1> uid=<user_2> ... o=<org_2>.<co_2> ou=Groups cn=@all cn=<group_3> cn=<group_4> ... ou=People uid=<user_2> uid=<user_3> ... dc=flat ou=Groups cn=<org_1>.<co_1>.@all cn=<org_1>.<co_1>.<group_1> cn=<org_1>.<co_1>.<group_2> cn=<org_2>.<co_2>.@all cn=<org_2>.<co_2>.<group_3> cn=<org_2>.<co_2>.<group_4> ... ou=People uid=<user_1> uid=<user_2> uid=<user_3> ...