-
Notifications
You must be signed in to change notification settings - Fork 2
LDAP Structure
This article is intended to assist a user with the setup of their LDAP database. The script was written with a test LDAP database with a similar structure as the one described below.
The script assumes you have something like the following DNs underneath your base DN:
dc=company,dc=com
-
o=Company
ou=Groups
ou=Users
ou=Networks
Underneath ou=Groups
will contain several DNs with the objectClass
of groupOfUniqueNames
. The group should also have the objectClass
of extensibleObject
, and should contain the members using uniqueMember
and the corresponding network objects granted to those members using accessTo
.
Here is an example LDIF export:
dn: cn=Developers,ou=Groups,o=Company,dc=company,dc=com
objectClass: extensibleObject
objectClass: top
objectClass: groupOfUniqueNames
cn: Developers
accessTo: cn=RDS_Database1,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
accessTo: cn=VPC_QA-Subnet,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
accessTo: cn=EC2_instance1,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
uniqueMember: uid=developer1,ou=Users,o=Company,dc=company,dc=com
uniqueMember: uid=developer2,ou=Users,o=Company,dc=company,dc=com
Underneath ou=Users
will contain user objects identified uniquely using uid
, although this can depend. The PHP connect script will check whether the user has any custom accessTo
definitions embedded in their user profile. The purpose of this is to give a user access to something that doesn't necessarily fit into a group definition.
Here is an example LDIF export:
dn: uid=example.user,ou=Users,o=Company,dc=company,dc=com
objectClass: extensibleObject
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Example User
sn: User
accessTo: cn=VPC_Admin-Subnet,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
accessTo: cn=RDS_Database2,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
givenName: Example
mail: [email protected]
uid: example.user
This segment of the LDAP database contains the most important part: the definitions of what instances you want to grant access to. The example LDAP structure contains two DNs underneath ou=Networks
to place IPv4 and IPv6 entries similar to the following:
ou=Networks
ou=IPv4
ou=IPv6
Each entry underneath the IPv4
and IPv6
DNs should be an objectClass
of the ipNetwork
type. The ipNetworkNumber
can either can an IP address or DNS name, and the ipNetmaskNumber
should be a CIDR prefix.
Here is an example LDIF export of an individual instance:
dn: EC2_instance1,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipNetwork
cn: EC2_instance1
ipNetworkNumber: 10.0.0.10
ipNetmaskNumber: 32
Here is an example LDIF export of an entire subnet:
dn: cn=VPC_QA-Subnet,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipNetwork
cn: cn=VPC_QA-Subnet
ipNetworkNumber: 10.20.0.0
ipNetmaskNumber: 27
Using those examples, the script assumes access over all ports and all protocols.
If you want to grant access to resource only on certain ports / protocols the PHP script also accounts for that possibility. To grant access to a resource or subnet on a specific port, simply create a DN with an objectClass
of ipService
underneath the resource entry. There you can specify the ipServicePort
and ipServiceProtocol
for IPTables to process.
Here is an example LDIF export of an individual DNS instance, and its subentries, where access is only granted to TCP/53 and UDP/53:
dn: cn=EC2_DNS-Server,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipNetwork
cn: EC2_DNS-Server
ipNetworkNumber: 10.30.0.10
ipNetmaskNumber: 32
dn: cn=TCP/53,cn=EC2_DNS-Server,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipService
cn: TCP/53
ipServicePort: 53
ipServiceProtocol: tcp
dn: cn=UDP/53,cn=EC2_DNS-Server,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipService
cn: UDP/53
ipServicePort: 53
ipServiceProtocol: udp