<source lang='bash'>
ldapsearch -D "cn=Manager,dc=stoney-cloud,dc=org" -w admin -H "ldap://10.1.130.14:389" -b "ou=groups,dc=stoney-cloud,dc=org" "(&(objectClass=sstGroupObjectClass)(sstGroupName=*)(sstBelongsToResellerUID=4000000)(sstBelongsToCustomerUID=4000001))" uid
</source>
<source lang='text'>
# extended LDIF
#
=== People (Superuser) ===
The sub tree '''<code>ou=people,ou=administration,dc=stoney-cloud,dc=org''' </code> list all users, which have super user richts (users with the attribute '''<code>sstBelongsToUID=1'''</code>). This entry uses the functionality of the the dynlist overlay. The attribut '''labeleduri''' contains a pre-defined search, which leads to a automatically created list. <source lang='ldif'>dn: ou=people,ou=administration,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit objectclass: labeledURIObject ou: people labeleduri: ldap:///ou=people,dc=stoney-cloud,dc=org??one?(sstBelongsToUID=1) member: uid=1000000,ou=people,dc=stoney-cloud,dc=org member: uid=1000003,ou=people,dc=stoney-cloud,dc=org member: uid=1000004,ou=people,dc=stoney-cloud,dc=org</source>
As you can see, the OpenLDAP has three people withe Superuser rights.
=== Services ===
The sub tree '''ou=services,ou=administration,dc=stoney-cloud,dc=org''' contains all the service users. Each service and/or application has its own authentication user. The authentication user is used in the [[HTTP Basic authentication against OpenLDAP directory|OpenLDAP Directory Access Control Lists]] (ACLs) to allow or restrict access to the data.
Naming Convention '''Notification Useruser''':
* <SERVICE>-notification
** backup-notification
** cloud-notification
** lbaas-notification
** mail-notification
** storage-notification
Naming Convention '''Service Useruser''':
* <SERVICE>-<DAEMON>
** backup-pam-ldap
** cloud-openstack
** crm-suitecrm
** billing-cyclops
** cm-puppetboard ('''c'''onfiguration '''m'''anagement - Puppetboard Service)
** dms-alfresco ('''d'''ocument '''m'''anagement '''s'''ystem - Alfresco)
** iac-terraform ('''i'''nfrastructure '''a'''s '''c'''ode - Terraform)
** <s>lbaas-haproxy</s>
** <s>lbaas-pam-ldap</s>
** monitoring-zabbix
** phabricator
** pm-kanboard
** qos-rally
** storage-nextcloud
** storage-pam_ldap
** timetimetracking-kimai** vault-cryptopus (A vault is a place where secrets are stored - in other words a password management system)
** vcs-gitlab ('''v'''ersion '''c'''ontrol '''s'''ystem - GitLab Service)
** virtualization-sc-brokerd
** wiki-int
Naming Convention '''API user''':* <SERVICE>-api** lbaas-api Naming Convention '''Provisioning Useruser''':
* prov-<SERVICE>-<TYPE>
** prov-backup-kvm
** prov-cloud-openstack
** prov-configuration-management-puppet
** <s>prov-lbaas-haproxy</s>
** prov-mail-ox ('''O'''pen-'''X'''change)
** prov-monitoring-zabbix
| <center>'''Existence'''</center>
| <center>'''Mandatory'''</center>
| style="border:0.002cm solid #000000;padding:0.097cm;"| '''Description'''
|-
| <center>MAY</center>
| <center>x</center>
| The organisation name of the reseller. For example: '''Reseller Ltd.''' . A reseller must be a company (<code>sstIsCompany: TRUE</code>), in case of a person '''Surname, givenName''' (<code>sstIsCompany: FALSE</code>) or in case of a brand a freely choosable string like '''Super Dooper Web Hosting''' (<code>sstIsCompany: FALSE</code>).
|-
| <center>'''Mandatory'''</center>
| '''Interface Equivalent'''
| style="border:0.002cm solid #000000;padding:0.097cm;"| '''Description'''
|-
| <center>'''Existence'''</center>
| <center>'''Mandatory'''</center>
| style="border:0.002cm solid #000000;padding:0.097cm;"| '''Description'''
|-