You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

This is a draft Enterprise Directory Policy for NORDUnet. It is not official yet!

The NORDUnet LDAP service (ldap.nordu.net) is the enterprise directory for NORDUnet. The primary purpose of the service is to function as a primary authoritative identity store for NORDUnet IT services.

Terminology

The words MUST, SHOULD, MAY have the following meaning:

MUST

Absolutely no exceptions.

SHOULD

Use extreme caution. Breakage will have severe security implications.

MAY

Use your own judgement.

Change control

Any change to this policy MUST be approved by the NORDUnet security officer.

Applications

Applications that need authenticated identity information (authentication and attributes) SHOULD NOT use the directory service directly. Instead any of the SSO services (eg SAML, crowd SSO) SHOULD be used. Exceptions to this rule must be approved by the NORDUnet security officer. Applications that only need non-authenticated information about objects in the directory MAY search the directory, however care MUST be taken not to expose sensitive information. All communications with the directory service SHOULD be done over a secure transport (eg TLS).

Directory structure

The structure of the Directory Information Tree (DIT) is as follows (relative to the base DN):

DN

Objects and purpose

ou=People

Each entries represent users. The uid attribute MUST be present on each entry and MUST be globally unique. Entries representing users MUST NOT exist outside this subtree. In particular a search for uid=* MUST result in search hits only in this tree.

ou=Groups

All entries MUST represent groups of users. Each entry MUST have an objectClass of groupOfNames or groupOfUniqueNames. The cn attributes MUST be used to name entries and the cn attribute MUST be unique within this subtree regardless of depth.

ou=Partners

All entries MUST represent organizations and have a objectClass of organization. The o attribute is used to name the organization and MUST be unique within this subtree. An organization MAY have contact persons that are represented with an entry of the objectclass inetOrgPerson. For these entries the cn attribute MUST be used to build the DN

New top-level subtrees (entries below dc=nordu,dc=net) MUST be approved by the NORDUnet security officer. Each such subtree MUST have a description in the table above.

  • No labels