This is a draft Enterprise Directory Policy for NORDUnet. It is not official yet!
The NORDUnet LDAP service (ldap.nordu.net) is the enterprise directory for NORDUnet. The primary purpose of the service is to function as a primary authoritative identity store for NORDUnet IT services.
The following terminology is used in this document:
MUST NOT |
Absolutely no exceptions, ever. |
|---|---|
SHOULD NOT |
Use extreme caution. Breakage will have severe security implications. |
Applications that only need identity information (authentication and attributes) SHOULD NOT use the directory service directly. Instead any of the SSO services (eg SAML, crowd SSO) SHOULD be used. Exceptions to this rule must be approved by the NORDUnet security officer.
The structure of the Directory Information Tree (DIT) is as follows (relative to the base DN):
DN |
Objects and purpose |
|---|---|
ou=People |
Each entries represent users. The uid attribute MUST be present on each entry and MUST be globally unique. Entries representing users MUST NOT exist outside this subtree. In particular a search for uid=* MUST result in search hits only in this tree. |
ou=Groups |
All entries MUST represent groups of users. Each entry MUST have an objectClass of groupOfNames or groupOfUniqueNames. The cn attributes MUST be used to name entries and the cn attribute MUST be unique within this subtree regardless of depth. |
New top-level subtrees (entries below dc=nordu,dc=net) MUST be approved by the NORDUnet security officer. Each such subtree MUST have a description in the table above.