Changes

The following chapters explain the data organisation of the stoney cloud OpenLDAP directory. This document describes the [[:Category:stoney core|stoney core]] relevant OpenLDAP directory data organisation.

The subtree '''ou=administration,dc=stoney-cloud,dc=org''' contains all the administrative data.

The entry '''cn=nextfreeuid,ou=administration,dc=stoney-cloud,dc=org''' stores the next free UID (Unique Identifier). The UID is unique over the whole directory and is enforced through the directory and is incremented by one.

dn: cn=nextfreeuid,ou=administration,dc=stoney-cloud,dc=org

+ All operational attributes are returned.

The sub tree '''ou=billing,ou=administration,dc=stoney-cloud,dc=org''' stores all the billing relevant data. Each billable item (bundle, service or service item) is stored in this sub tree.

dn: ou=billing,ou=administration,dc=stoney-cloud,dc=org

All prices are stored in Swiss Francs (because the company stepping stone GmbH resides in Switzerland). You can decide about the default currency yourself. Once a month a billing run is executed, which scans the whole directory. The billing run is a currently "work in progress". For more information, please contact our [mailto:accounting@stepping-stone.ch Accounting] departement.

Used for the group mapping from the given readable format to the local group UID format.

dn: ou=group mapping,ou=administration,dc=stoney-cloud,dc=org

sstLDAPStaticAttribute: uid

The following search maps the group Technology belonging to the reseller with the sstBelongsToResellerUID 4000000 and the customer with the sstBelongsToCustomerUID 4000001 to the uid 4000014:

<pre>

</pre>

The following search lists all the existing Groups to belonging to the reseller with the sstBelongsToResellerUID 4000000 and the customer with the sstBelongsToCustomerUID 4000001 with the corresponding uids:

<pre>

</pre>

The sub tree '''ou=people,ou=administration,dc=stoney-cloud,dc=org''' list all users, which have super user richts (users with the attribute '''sstBelongsToUID=1'''). This entry uses the functionality of the the dynlist overlay. The attribut '''labeleduri''' contains a pre-defined search, which leads to a automatically created list.

dn: ou=people,ou=administration,dc=stoney-cloud,dc=org

As you can see, the OpenLDAP has three people withe Superuser rights.

The sub tree '''ou=services,ou=administration,dc=stoney-cloud,dc=org''' contains all the service users. Each service and/or application has its own authentication user. The authentication user is used in the [[OpenLDAP Directory Access Control Lists]] (ACLs) to allow or restrict access to the data.

** prov-storage-nextcloud

The following LDIF shows the backup service user entry:

dn: cn=backup,ou=services,ou=administration,dc=stoney-cloud,dc=org

userPassword: {SSHA}pJpqL95nlFi78rnAstmn6VvZCXWTjVHZ

The following LDIF shows the dhcp service user entry:

dn: cn=dhcp,ou=services,ou=administration,dc=stoney-cloud,dc=org

userPassword: {SSHA}pJpqL95nlFi78rnAstmn6VvZCXWTjVHZ

The following LDIF shows the libvirtd service user entry:

dn: cn=libvirtd,ou=services,ou=administration,dc=stoney-cloud,dc=org

userPassword: {SSHA}pJpqL95nlFi78rnAstmn6VvZCXWTjVHZ

The following LDIF shows the prov-backup-kvm service user entry:

dn: cn=prov-backup-kvm,ou=services,ou=administration,dc=stoney-cloud,dc=org

userPassword: <STONEY-CLOUD-PROV-BACKUP-KVM-PASSWORD>

The following LDIF shows the slapd-mirrormode service user entry:

dn: cn=slapd-mirrormode,ou=services,ou=administration,dc=stoney-cloud,dc=org

userPassword: {SSHA}pJpqL95nlFi78rnAstmn6VvZCXWTjVHZ

The following LDIF shows the billing service user entry:

dn: cn=billing-cyclops,ou=services,ou=administration,dc=stoney-cloud,dc=org

userPassword: {SSHA}pJpqL95nlFi78rnAstmn6VvZCXWTjVHZ

The sub tree '''ou=configuration management,ou=configuration,dc=stoney-cloud,dc=org''' contains the configuration management system relevant entries of the whole stoney cloud installation. They can be extended by the administrator.

<source lang="LDIF">

</source>

The sub tree '''ou=regions,ou=configuration management,ou=configuration,dc=stoney-cloud,dc=org''' contains the configuration management system region entries of the whole stoney cloud installation. They can be extended by the administrator.

<source lang="LDIF">

</source>

The following LDIF example shows a typical region.

<source lang="LDIF">

* '''x''': Mandatory in all cases.

The sub tree '''ou=roles,ou=configuration management,ou=configuration,dc=stoney-cloud,dc=org''' contains the configuration management system role entries of the whole stoney cloud installation. They can be extended by the administrator.

<source lang="LDIF">

The following LDIF example shows a typical role.

<source lang="LDIF">

|}

The sub tree '''ou=operating system,ou=configuration,dc=stoney-cloud,dc=org''' contains the operating system choices for the whole stoney cloud installation. They can be extended by the administrator.

# This sub tree contains the operating system choices for the whole stoney cloud installation.

description: This sub tree contains the operating system choices for the whole stoney cloud installation.

The sub tree '''uid=4000019,ou=operating system,ou=configuration,dc=stoney-cloud,dc=org''' contains the Linux based operating system choices for the whole stoney cloud installation.

# This sub tree contains the Linux based operating system choices for the whole stoney cloud installation.

sstAllowPersonUID: 0

The sub tree '''uid=4000036,ou=operating system,ou=configuration,dc=stoney-cloud,dc=org''' contains the Windows based operating system choices for the whole stoney cloud installation.

# This sub tree contains the Windows based operating system choices for the whole stoney cloud installation.

sstAllowPersonUID: 0

The sub tree '''ou=software stack,ou=configuration,dc=foss-cloud,dc=org''' contains the software stack choices for the whole stoney cloud installation. They can be extended by the administrator.

# This sub tree contains the software stack choices for the whole stoney cloud installation.

sstAllowPersonUID: 0

The sub tree '''ou=customers,dc=stoney-cloud,dc=org''' contains all the customers. Each customer has a unique uid, which is used for later reference.

We have two kinds of customers:

* '''Company customer''': This is the normal case, as we target companies.

* '''x¹''': If <code>sstIsCompany</code> is set to <code>TRUE</code>, the <code>organizationName</code> must be set. Otherwise <code>givenName</code> and <code>surname</code> must be set.

The sub tree '''ou=address,uid=4000001,ou=customers,dc=stoney-cloud,dc=org''' contains the billing address for a '''company customer''':

<source lang='ldif'>

* '''x⁴''': If the countryName is either Canada or the USA, the stateOrProvinceName needs to be present.

The sub tree '''ou=shipping,uid=4000001,ou=customers,dc=stoney-cloud,dc=org''' contains the shipping address and is optional (it is only needed, if the shipping address differs from the billing Address).

<source lang='ldif'>

</source>

The sub tree '''ou=billing,uid=4000001,ou=customers,dc=stoney-cloud,dc=org''' contains billing relevant data. The following example shows a customer, receiving a monthly bill.

<source lang="LDIF">

* '''x²''': As the default of the attribute <code>sstBillable</code> is <code>TRUE</code>, it's not really mandatory. For better readability, please always add the attribute <code>sstBillable</code>.

The sub tree '''ou=employees,uid=4000001,ou=customers,dc=stoney-cloud,dc=org''' contains the employees belonging to the reseller '''Customer Ltd.''' (all the employees with the the attribute sstBelongsToEmployeeUID=4000001). With the attribute labeledURI we use the functionality of the [http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists dynamic lists overlay] to automatically give us a list of employees belonging to this customer. The number of employees is always the same or smaller than the number of people belonging to a customer (they are a subset).

<source lang='ldif'>

* '''x''': Mandatory in all cases.

The sub tree '''ou=people,uid=4000001,ou=customers,dc=stoney-cloud,dc=org''' contains the all the people belonging to the customer '''Customer Ltd.''' (all the people, including the employees, with the the attribute sstBelongsToCustomerUID=4000001). With the attribute labeledURI we use the functionality of the [http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists dynamic lists overlay] to automatically give us a list of employees belonging to this reseller. The number of people is always the same or larger than the number of employees belonging to a reseller.

<source lang='ldif'>

* '''x''': Mandatory in all cases.

We have two kinds of customers:

* '''Company customer''': This is the normal case, as we target companies.

* '''x''': Mandatory in all cases.

The sub tree '''ou=address,uid=4000001,ou=customers,dc=stoney-cloud,dc=org''' contains the billing address for a '''company customer''':

<source lang='ldif'>

* '''x3''': If the countryName is either Canada or the USA, the stateOrProvinceName needs to be present.

The sub tree which contains all the people. Each person has a unique identifier (uid):

<source lang='ldif'>

</source>

Each person hat its own leaf with a unique identifier (uid). The following LDIF shows you a typical '''person''' entry. All relevant data belonging to this person is stored below this leaf.

* '''x²''': Mandatory, if the person belongs to customer that has subscribed a [https://wwww.stoney-storage.com/ stoney storage] service.

Using session tokens, when the user logs out, the token is discarded by the client. However, if anyone keeps hold of the token, further API requests are still possible using said token until the token expires. In other words: a "log out" procedure doesn't really exist and can't be implemented properly. On the internet, most people mention a "revocation list" or a "black list" containing tokens which have been revoked. This makes the API stateful, because this token list must be stored somewhere. In our case, we store the session tokens in a leaf beneath the person (as these tokens are personal).

Below each person entry, we have a toke sub tree, which stores the session tokens:

<source lang='ldif'>

The API will make sure, that the amount of registered remote IP addresses and requesting User-Agents doesn't exceed a certain configurable limit (for example: 2). If the limit is exceeded, the session will be invalidated.

<source lang='ldif'>

dn: sstRole=Monitoring Administrator,uid=4000002,ou=people,dc=stoney-cloud,dc=org

</source>

The sub tree '''ou=reseller,dc=stoney-cloud,dc=org''' contains all the resellers. Each reseller has a unique uid, which is used for later reference.

The following LDIF shows you the default reseller entry after a fresh stoney cloud installation. All relevant data belonging to this reseller is stored below this dn.

dn: uid=4000000,ou=reseller,dc=stoney-cloud,dc=org

* '''x''': Mandatory in all cases.

The following LDIF shows you the default reseller entry after a fresh stoney cloud installation. All relevant data belonging to this reseller is stored below this dn.

dn: uid=4000000,ou=reseller,dc=stoney-cloud,dc=org

* '''x''': Mandatory in all cases.

The sub tree '''ou=address,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains the billing address:

dn: ou=address,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org

* '''x3''': If the countryName is either Canada or the USA, the stateOrProvinceName needs to be present.

The sub tree '''ou=address,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains the billing address:

dn: ou=address,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org

* '''x⁴''': If the countryName is either Canada or the USA, the stateOrProvinceName needs to be present.

The sub tree '''ou=shipping,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains the shipping address and is optional (it is only needed, if the shipping address differs from the billing Address).

dn: ou=shipping,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org

sstWebsiteURL: https://www.example.com/

The sub tree '''ou=billing,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains billing relevant data. The following example shows a reseller, receiving a monthly bill.

<source lang="LDIF">

* '''x²''': As the default of the attribute <code>sstBillable</code> is <code>TRUE</code>, it's not really mandatory. For better readability, please always add the attribute <code>sstBillable</code>.

The sub tree '''ou=customers,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains the customers belonging to the reseller '''Reseller Ltd.''' (all the customers with the the attribute sstBelongsToResellerUID=4000000). With the attribute labeledURI we use the functionality of the [http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists dynamic lists overlay] to automatically give us a list of customers belonging to this reseller.

* '''x''': Mandatory in all cases.

The sub tree '''ou=employees,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains the employees belonging to the reseller '''Reseller Ltd.''' (all the employees with the the attribute sstBelongsToEmployeeUID=4000000). With the attribute labeledURI we use the functionality of the [http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists dynamic lists overlay] to automatically give us a list of employees belonging to this reseller. The number of employees is always the same or smaller than the number of people belonging to a reseller (they are a subset).

* '''x''': Mandatory in all cases.

The sub tree '''ou=people,uid=4000000,ou=reseller,dc=stoney-cloud,dc=org''' contains the all the people belonging to the reseller '''Reseller Ltd.''' (all the people, including the employees, with the the attribute sstBelongsToResellerUID=4000000). With the attribute labeledURI we use the functionality of the [http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists dynamic lists overlay] to automatically give us a list of employees belonging to this reseller. The number of people is always the same or larger than the number of employees belonging to a reseller.