SRAM provides an LDAP tree for each application, only containing the the entities that are available to that application.

The four entities types are:

  • People: Users of SRAM, expressed as inetOrgPerson (with additional attributes/schemas). Users can be members of groups and collaborations.
  • Collaborations, expressed as organization (with additional attributes/schema).
  • Groups of collaboration members, expressed as groupOfMembers (with additional attributes/schema).
  • Applications, expressed as organization (with additional attributes/schemas)

Entities

Users

Users that are member of the collaboration are present in its ou=People subtree.

AttributeValueExampleRemarks
objectClass


inetOrgPerson 
person 
eduPerson
voPerson 
sramPerson
ldapPublicKey

Fixed value; ldapPublicKey is only present if a sshPublicKey value is defined; the other values are always present.
uidUnix-type username and main dnlaurapage12Safe to us in Unix-environments; contains no "weird" characters; maximum of 16 characters.
Unique in the SRAM platform.
cnIdentifier47c1c59a3b098d55beaaf555083ff88d9bcba524@sram.eduteams.org Value is identical to edupersonUniqueID.
displayNameFull nameLaura Page, PhD
givenNameFirst nameLaura
snLast namePage
mailEmail addresslaura.page@physics.uniharderwijk.nlUser's prefered email address; single-valued.
edupersonUniqueIDMain platform identifier, also used for cn 47c1c59a3b098d55beaaf555083ff88d9bcba524@sram.eduteams.org Platform identifier; persistent, non-reassignable, globally unique and scoped to SRAM. Will not change, even if the user switches to a different login account.
eduPersonPrincipalNamescoped identifierlaurapage12@sram.surf.nl Uid scoped to the SRAM platform.
eduPersonScopedAffiliationPlatform role rolemember@acc.sram.eduteams.org Fixed value.
voPersonExternalIDIdentity as asserted by home institutionlpage23@uniharderwijk.nl Based on the eduPersonPrincipalName sent by the user's home institution.
voPersonExternalAffiliationAffiliation at home institution
employee@uniharderwijk.nl 

Based on the eduPersonScopedAffiliation sent by the user's home institution.


sramInactiveDaysNumber of days the user has not logged in (rounded down)

Value can be:

  • 1, 2, 3, 4, 5, 6 
  • 7, 14, 21, 28
  • 30, 60, 90, 120, 150, 180, 210, 240, 270, 300, 330, 360
  • 365, 730, 1095, ...


sshPublicKeySSH public keyssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERo5YJE9lnW1hJzfeHKzrZ04IpJGqOIwL+nyhsfTBKi laura@local SSH public key uploaded by the user. Can be multi-valued.
voPersonPolicyAgreementThe url of the application AUP the user has agreed withvoPersonPolicyAgreement;time-1516593822: http://exmaple.com/AUP

The value of this attribute contains only the URL of the AUP to which the user has agreed; the time of agreement is recorded in an attribute option. See the voPerson specification for more information.

If you want to synchronise this value, you need to add olcAttributeOptions: "time-" under cn=config for OpenLDAP deploys.

voPersonStatusactive or expiredexpired

Expired if the membership of the users for this collaboration has expired or if the users has been suspended from SRAM for inactivity between 12 and 15 months.

Note that for the flat ldap tree, a user is set to active is they are active in any of the collaborations included in the tree. So, if the user is a member of two collaborations, one of which is expired, their status will still be set to active. If the membership of the second collaboration also expires, their status will change to expired.

memberOfGroup memberships

in the ordered subtree:
cn=@all,ou=Groups,o=org1.co1,dc=ordered,dc=service1,dc=services,dc=sram,dc=surf,dc=nl
cn=group_1,ou=Groups,o=org1.co1,dc=ordered,dc=service1,dc=services,dc=sram,dc=surf,dc=nl

in the flat subtree:
cn=org1.co1.@all,ou=Groups,dc=flat,dc=service1,dc=services,dc=sram,dc=surf,dc=nl
cn=org1.co1.group_1,ou=Groups,dc=flat,dc=service1,dc=services,dc=sram,dc=surf,dc=nl

The @all-group contains all members of the collaboration, including those who are not a member of any subgroups.

If a user is expired, their group memberships are removed. Specifically, they will still exist under ou=People, but will not be a member of the @all-group or any subgroups.

NB: Operational attribute, so not shown by default on most LDAP clients.

Collaboration

Collaborations are expressed as organizations in the ldap. This structure is only present in the ordered subtree; in the flat subtree, this information is expressed in the *:@all groups

AttributeValueExampleRemarks
objectClass


organization 
extensibleObject
Fixed value.
oIdentifier

org_1:co_1

identifier consists of the short name of the organization, and the short name of the CO itself, separated by a : 
uniqueIdentifierIdentifierda0c3a59-436c-4977-b6d2-981e762c1877 Unique identifier of the collaboration
displayNameFull name of the collaborationMy first CO unbounded utf8-string as entered in the user interface
descriptionDescription of the collaborationIn the "My first CO" we work together on all kinds of stuff unbounded utf8-string as entered in the user interface
businessCategoryCollaboration labelsorg_1:label_1 Labels scoped to an organization and collaboration.
labeledURILinks to CO-specific information. Consist of a URL and a label describing the URLhttps://sram.surf.nl/api/images/collaborations/2bf516d8-f70b-4741-a251-e561eccd96ae logo https://sbs.scz-vm.net/collaborations/1 sbs_url

The following labels are supported:

  • logo: link to the logo of the CO
  • sbs_url: link to the management page of the CO
mailContact email address(es) of the CO adminspiet.admin@my_co.example.edu Contains the email addresses of all CO admins.

Groups

Groups within a collaboration are present in the ou=Groups subtree.

AttributeValueExampleRemarks
objectClass


GroupOfMembers
ExtensibleObject
Fixed value.

cn

Identifier

in the ordered subtree:
group_1

in the flat subtree:
org1.co1.group_1

The components of the group name can only consist of letters, numbers, hyphen and underscore.
Might possible change if the group, collaboration or organization it belongs to is renamed.
The special name @all is used to represent all members of a collaboration.

displayNameDisplay nameGroup Number One
descriptionDescriptionThis Group is the first test group. You can you it to test stuff in an application.
uniqueIdentifierUnique identifier for the groupd5738a44-1173-22a8-8769-81722467bbe7 Unique, persistent identifier for the group.
businessCategoryCollaboration labelsOnly for the @all groups
org_1:label_1
Labels scoped to an organization and collaboration.
memberdn of members of the group

in the ordered subtree:
uid=laurapage12,ou=People,o=org1.co1,dc=ordered,dc=service1,dc=services,dc=sram,dc=surf,dc=nl 

in the flat subtree:
uid=laurapage12,ou=People,dc=flat,dc=service1,dc=services,dc=sram,dc=surf,dc=nl 


Applications

AttributeValueExampleRemarks
objectClass


organization
labeledURIObject
dcObject

Fixed value.

dc
o

Identifier

Equal to the entityid or client_id of the application

Usually a uri or urn

labeledURI

AUP url
Privacy policy url

https://example.org/aup.txt aup
https://example.org/privacy_policy.txt pp

Only present if provided by the application

Schemas and extra configuration

In addition to the standard RFC4519 and RFC4524 LDAP schemas, the following non-standard schemas are used in SRAM:

objectClassattributesreferenceschemaldif
eduPersoneduPersonUniqueID
eduPersonPrincipalName
eduPersonScopedAffiliation
https://wiki.refeds.org/display/STAN/eduPerson
eduperson.ldif
voPersonvoPersonExternalID
voPersonExternalAffiliation
https://voperson.org/voperson.schemavoperson.ldif
sramPersonsramInactiveDays

sramPerson.ldif
ldapPublicKeysshPublicKeyhttps://github.com/AndriiGrytsenko/openssh-ldap-publickeyldappublickey.schemaldappublickey.ldif

groupOfMembershttps://tools.ietf.org/id/draft-howard-rfc2307bis-02


voPersonPolicyAgreement

In order to properly synchronise the user attribute voPersonPolicyAgreement with OpenLDAP you need to add a "time-" value to olcAttributeOptions under cn=config


Flat and ordered subtrees

All data (users, groups and collaborations) is duplicated in two subtrees: ordered and flat. Different applications and needs might suit on or the other better, for example: in the flat tree each user occurs only once.

LDAP directory structure model
dc=<service_id>,dc=services,dc=sram,dc=surf,dc=nl cn=admin dc=ordered o=<org_1>:<co_1> ou=Groups cn=@all cn=<group_1> cn=<group_2> ... ou=People uid=<user_1> uid=<user_2> ... o=<org_2>.<co_2> ou=Groups cn=@all cn=<group_3> cn=<group_4> ... ou=People uid=<user_2> uid=<user_3> ... dc=flat ou=Groups cn=<org_1>.<co_1>.@all cn=<org_1>.<co_1>.<group_1> cn=<org_1>.<co_1>.<group_2> cn=<org_2>.<co_2>.@all cn=<org_2>.<co_2>.<group_3> cn=<org_2>.<co_2>.<group_4> ... ou=People uid=<user_1> uid=<user_2> uid=<user_3> ...