LDAP directory service extensions

3.2.1. LDAP directory service extensions#

This section describes how to extend the directory service in Nubus for Kubernetes with custom LDAP schema extensions and access control lists (ACLs).

Nubus comes with a default set of LDAP schema and ACLs to support its functionality. If additional LDAP schema or ACLs help you to accomplish your use case, then this section is for you.

Important

Nubus uses OpenLDAP as LDAP directory service, therefore LDAP schema and ACLs must apply to OpenLDAP.

See also

Identity Store and Directory Service

in Univention Nubus for Kubernetes - Architecture Manual [1] for information about the architecture of the Identity Store and Directory Service in Nubus for Kubernetes.

3.2.1.1. LDAP schema#

The directory service in Nubus for Kubernetes is an OpenLDAP directory service that stores information using attributes and grouping them to objects. The blueprint for an object is the objectClass, and it defines the attributes and their types. The combined definition of attributes and object classes is a schema.

An LDAP schema extension lets you add attributes and object class definitions to the LDAP directory service. It’s a text file with a specified syntax.

Example

The openDesk Nubus Customization provides several LDAP schema extensions, opendeskFileshare.schema in the openDesk repository.

Describing how to write an LDAP schema is beyond the scope of this document. Instead, this section assumes you have your LDAP schema extension ready to use. For more information, see the OpenLDAP Software Administrator's Guide [2].

To add an LDAP schema extension to Nubus for Kubernetes, use the following steps:

  1. Save the schema and give it any filename with the file extension .schema, for example custom-ldap.schema.

  2. Follow the instructions for building the Docker image in Bundle extensions.

  3. Copy the plugin file to your extension project. For an LDAP schema, the plugin-type is ldap-schema. See Add plugins.

    $ export PLUGIN_TYPE="ldap-schema"
    

Tip

The Directory Service mounts your provided LDAP schema to the following directory: /var/lib/univention-ldap-local/local-schema.

See also

Extending Schema

in OpenLDAP Software Administrator's Guide [2] for the schema specification for OpenLDAP.

Schema in Lightweight Directory Access Protocol - Wikipedia

for description of LDAP schema.

3.2.1.2. LDAP ACLs#

LDAP ACLs are access control lists that determine which LDAP objects an LDAP user has access to. They also determine the read and write access. ACLs are text files. The LDAP server loads them as configuration during startup. Describing how to create ACLs is beyond the scope of this document.

To add LDAP ACLs to Nubus for Kubernetes, use the following steps:

  1. Save the ACLs and give them any filename with the file extension .acl, for example custom-ldap.acl.

  2. Follow the instructions for building the Docker image in Bundle extensions.

  3. Copy the plugin file to your extension project. For an OpenLDAP ACL, the plugin-type is ldap-acl. See Add plugins.

    $ export PLUGIN_TYPE="ldap-acl"
    

Tip

The Directory Service mounts your provided LDAP ACLs to the following directory: /etc/univention/templates/files/etc/ldap/slapd.conf.d.

See also

Access Control

in OpenLDAP Software Administrator's Guide [2] for information about access control in OpenLDAP.