[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Architecture for CardDAV/OpenLDAP interface

To: openldap-technical@openldap.org
Subject: Re: LDAP Architecture for CardDAV/OpenLDAP interface
From: Roman Rybalko <openldap@romanr.name>
Date: Sun, 21 Oct 2012 20:32:48 +0400
In-reply-to: <5082EE73.1080804@babelouest.org>
References: <5082EE73.1080804@babelouest.org>
User-agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121011 Thunderbird/16.0.1

> Actually, there are different objectClass that might be extended:
> person, inetOrgPerson, organizationalPerson and residentialPerson.
> Considering that inetOrgPerson, organizationalPerson and
> residentialPerson are designed for specific purposes, I think that
> extending the person objectClass would be the best guess, what do you
> think ?
No need to extend existing classes - use another auxiliary class and add
it to the object. inetOrgPerson - is a common way to store addressbook
data, it is handled by Thunderbird/Outlook/TheBat/whatever.

You may try such schema:
olcAttributeTypes: ( 2.999.1.1 NAME 'myData' DESC 'My string' EQUALITY
caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 2.999.2.1 NAME 'myObject' SUP top AUXILIARY MUST
myData MAY info)

Then create your addressbook entry:
dn: cn=entry1,ou=addressbook,dc=babelouest,dc=org
objectClass: inetOrgPerson
objectClass: myObject
sn: ...
gn: ...
mail: ...
myData: ...

You need also unique OID for your schema (2.999 - is reserved for
examples and documentation). See http://www.oid-info.com/faq.htm#10
http://quick-oid.org/

> I would like to add another branch to allow users to add their own
> addressbook entries, these entries would be in read/write mode only for
> the owner, no one else but him should have access.
> 
> The new directory would look like this:
> dc=babelouest,dc=org
> |
> |-ou=addressbook (global, read-only for all users)
> |  |
> |  |-cn=Address1
> |  |-cn=Address2
> |  |-[...]
> |
> |-ou=users
> |  |
> |  |-uid=user1
> |  |-uid=user2
> |  |[...]
> |
> |-ou=personnalAddressbooks (personnal addressbook entries)
> |  |
> |  |-uid=user1
> |  |  |
> |  |  |-cn=Address1
> |  |  |-cn=Address2
> |  |  |-cn=Address3
> |  |
> |  |-uid=user2
> |  |  |
> |  |  |-cn=Address1
> |  |  |-cn=Address2
Better place personal addressbook entries under common addressbook -
this can be configured then on the clients as a single connection (with
a single base=ou=addressbook,dc=babelouest,dc=org). Also this gives an
opportunity to share personal entries - just change the ACL.

dc=babelouest,dc=org
|
|-ou=addressbook (global, read-only for all users)
|  |
|  |-cn=Address1
|  |-cn=Address2
|  |-[...]
|  |-uid=user1
|  |  |
|  |  |-cn=Address1
|  |  |-cn=Address2
|  |  |-cn=Address3
|  |
|  |-uid=user2
|  |  |
|  |  |-cn=Address1
|  |  |-cn=Address2

For ACL you may use olcAccess with regexes and backreferences.

olcAccess: to dn.regex="^uid=(.+),ou=addressbook,dc=babelouest,dc=org$"
by dn="^uid=$2,ou=users,dc=babelouest,dc=org$" write by * none

Notice that $1 is replaced with the whole matched string, and $2
replacement is for the first (.+) backref.
"write" privilege also implies "read" and "search".
-- 
WBR,
Roman Rybalko

References:
- LDAP Architecture for CardDAV/OpenLDAP interface
  - From: Nicolas Mora <nicolas@babelouest.org>

Prev by Date: LDAP Architecture for CardDAV/OpenLDAP interface
Next by Date: Re: ContextCSN generation
Index(es):
- Chronological
- Thread