[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP Architecture for CardDAV/OpenLDAP interface



Hello,

I'm using both an OpenLDAP server and an owncloud server, both for different but convergent purposes.

The OpenLDAP manages an addressbook that is used by all mail client (Thunderbird, Horde, etc.), and the owncloud server also manages an addressbook for phone numbers, addresses and stuff, this one is a CardDAV one with VCard files.

My goal is to converge these 2 different back-ends into one, all the data would be stored in the LDAP server.

I did some research about how to do it and I have some clue that I would like to submit to you for feedbacks.

The first interrogation is about the VCard/LDAP interface.
After studying the VCard format and the different LDAP schemas, mostly RFC 6350 and 2256 and the schema files in the OpenLDAP conf folder in a Debian Stable server.
I think that a new schema would do the connection.

All the VCard properties can be easily linked to an existing person or inetOrgPerson or another *person objectClass. And the properties that doesn't exist yet are to be created in a schema extension. Also, one or two additional properties fields per property are to be created for the VCard parameters.

Actually, there are different objectClass that might be extended: person, inetOrgPerson, organizationalPerson and residentialPerson. Considering that inetOrgPerson, organizationalPerson and residentialPerson are designed for specific purposes, I think that extending the person objectClass would be the best guess, what do you think ?

The second question is more about the OpenLDAP configuration to handle this need. Right now, the OpenLDAP server is only used by me as an addressbook and an authentication server, the directory looks like this:

dc=babelouest,dc=org
|
|-ou=addressbook
|  |
|  |-cn=Address1
|  |-cn=Address2
|  |-[...]
|
|-ou=users
|  |
|  |-uid=user1
|  |-uid=user2
|  |[...]

I would like to add another branch to allow users to add their own addressbook entries, these entries would be in read/write mode only for the owner, no one else but him should have access.

The new directory would look like this:
dc=babelouest,dc=org
|
|-ou=addressbook (global, read-only for all users)
|  |
|  |-cn=Address1
|  |-cn=Address2
|  |-[...]
|
|-ou=users
|  |
|  |-uid=user1
|  |-uid=user2
|  |[...]
|
|-ou=personnalAddressbooks (personnal addressbook entries)
|  |
|  |-uid=user1
|  |  |
|  |  |-cn=Address1
|  |  |-cn=Address2
|  |  |-cn=Address3
|  |
|  |-uid=user2
|  |  |
|  |  |-cn=Address1
|  |  |-cn=Address2

I took a look at the Access control help page but I couldn't find how to properly set the OpenLDAP configuration like this. Can you help me configuring the slapd.conf ?

Thanks in advance.

/Nicolas