3.2.1. LDAP directory service extensions#
This section describes how to extend the directory service in Nubus for Kubernetes with custom LDAP schema extensions and access control lists (ACLs).
Nubus comes with a default set of LDAP schema and ACLs to support its functionality. If additional LDAP schema or ACLs help you to accomplish your use case, then this section is for you.
Important
Nubus uses OpenLDAP as LDAP directory service, therefore LDAP schema and ACLs must apply to OpenLDAP.
See also
- Identity Store and Directory Service
in Univention Nubus for Kubernetes - Architecture Manual [1] for information about the architecture of the Identity Store and Directory Service in Nubus for Kubernetes.
3.2.1.1. LDAP schema#
The directory service in Nubus for Kubernetes is an OpenLDAP directory service
that stores information using attributes and grouping them to objects.
The blueprint for an object is the objectClass
,
and it defines the attributes and their types.
The combined definition of attributes and object classes is a schema.
An LDAP schema extension lets you add attributes and object class definitions to the LDAP directory service. It’s a text file with a specified syntax.
- Example
The openDesk Nubus Customization provides several LDAP schema extensions, opendeskFileshare.schema in the openDesk repository.
Describing how to write an LDAP schema is beyond the scope of this document. Instead, this section assumes you have your LDAP schema extension ready to use. For more information, see the OpenLDAP Software Administrator's Guide [2].
To add an LDAP schema extension to Nubus for Kubernetes, use the following steps:
Save the schema and give it any filename with the file extension
.schema
, for examplecustom-ldap.schema
.Follow the instructions for building the Docker image in Bundle extensions.
Copy the plugin file to your extension project. For an LDAP schema, the
plugin-type
isldap-schema
. See Add plugins.$ export PLUGIN_TYPE="ldap-schema"
Tip
The Directory Service mounts your provided LDAP schema to the following directory:
/var/lib/univention-ldap-local/local-schema
.
See also
- Extending Schema
in OpenLDAP Software Administrator's Guide [2] for the schema specification for OpenLDAP.
- Schema in Lightweight Directory Access Protocol - Wikipedia
for description of LDAP schema.
3.2.1.2. LDAP ACLs#
LDAP ACLs are access control lists that determine which LDAP objects an LDAP user has access to. They also determine the read and write access. ACLs are text files. The LDAP server loads them as configuration during startup. Describing how to create ACLs is beyond the scope of this document.
To add LDAP ACLs to Nubus for Kubernetes, use the following steps:
Save the ACLs and give them any filename with the file extension
.acl
, for examplecustom-ldap.acl
.Follow the instructions for building the Docker image in Bundle extensions.
Copy the plugin file to your extension project. For an OpenLDAP ACL, the
plugin-type
isldap-acl
. See Add plugins.$ export PLUGIN_TYPE="ldap-acl"
Tip
The Directory Service mounts your provided LDAP ACLs to the following directory:
/etc/univention/templates/files/etc/ldap/slapd.conf.d
.
See also
- Access Control
in OpenLDAP Software Administrator's Guide [2] for information about access control in OpenLDAP.