Load Balancer as a Service (LBaaS): OpenLDAP directory data organisation
Contents
Abstract
This document describes the OpenLDAP directory data organisation for the Load Balancer as a Service (LBaaS).
Data Organisation
The following chapters explain the data organisation of the stoney cloud OpenLDAP directory. In this case we are looking at the Load Balancer as a Service (LBaaS).
Load Balancer as a Service (LBaaS)
The sub tree ou=lbaas,ou=services,dc=stoney-cloud,dc=org contains all the HAProxy based Load Balancer as a Service (LBaaS) data. The following LDIF shows the lbaas LDAP entry for the Load Balancer as a Service (LBaaS):
dn: ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit ou: lbaas description: The sub tree for the HAproxy based Load Balancer as a Service (LBaaS).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| ou | organizationalUnit | |
|
The name of the leaf.
For the HAProxy based Load Balancer as a Service (LBaaS) this is: |
| description | organizationalUnit | |
|
The description of the leaf.
For the HAProxy based Load Balancer as a Service (LBaaS) the description ist is: |
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Configuration (currently not used and implemented)
The sub tree for the configuration of the Load Balancer as a Service (LBaaS):
dn: ou=configuration,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit ou: configuration description: The sub tree for the configuration of the HAProxy based Load Balancer as a Service (LBaaS).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| ou | organizationalUnit | |
|
The name of the leaf.
For the configuration of the HAProxy based Load Balancer as a Service (LBaaS) this is: |
| description | organizationalUnit | |
|
The description of the leaf.
For the configuration of the HAProxy based Load Balancer as a Service (LBaaS) this is: |
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Configuration - Provisioning daemon (currently not used and implemented)
See the Services description for the naming convention.
The sub tree for the configuration of the prov-lbaas-haproxy daemon:
dn: ou=prov-lbaas-haproxy,ou=configuration,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit objectclass: sstServiceConfigurationObjectClass ou: prov-lbaas-haproxy description: The sub tree for the configuration of the prov-lbaas-haproxy provisioning daemon. sstIsActive: TRUE
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| ou | organizationalUnit | |
|
The name of the leaf.
For the HAProxy based Load Balancer as a Service (LBaaS) prov-lbaas-haproxy provisioning daemon this is: |
| description | organizationalUnit | |
|
The description of the leaf.
For the HAProxy based Load Balancer as a Service (LBaaS) prov-lbaas-haproxy provisioning daemon this is: |
| sstIsActive | sstServiceConfigurationObjectClass | |
|
Is the entry active? Either TRUE (yes) or FALSE (no).
The default value is |
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Configuration - Reseller (currently not used and implemented)
The sub tree for the reseller specific Load Balancer as a Service (LBaaS) settings:
dn: ou=reseller,ou=configuration,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit ou: reseller description: The sub tree for the reseller specific configuration of the HAProxy based Load Balancer as a Service (LBaaS).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| ou | organizationalUnit | |
|
The name of the leaf.
For the reseller specific HAProxy based Load Balancer as a Service (LBaaS) service this is: |
| description | organizationalUnit | |
|
The description of the leaf.
For the reseller specific HAProxy based Load Balancer as a Service (LBaaS) service this is: |
Legend:
- x: Mandatory in all cases.
The sub tree for the specific Load Balancer as a Service (LBaaS) settings for the reseller Reseller Ltd. with the uid 4000000.
dn: uid=4000000,ou=reseller,ou=configuration,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: sstReseller objectclass: sstServiceConfigurationObjectClass uid: 4000000 organizationName: Reseller Ltd. description: The sub tree for the specific Load Balancer as a Service (LBaaS) settings for the reseller Reseller Ltd. with the uid 4000000. sstIsActive: TRUE sstIsCompany: TRUE sstIsDefault: TRUE sstBelongsToResellerUID: 4000000
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| uid | sstReseller | |
|
A unique integer value with 7 digits or more.
For example: |
| organizationName | sstReseller | |
|
The company name.
For example: |
| givenName | sstReseller | |
|
Name.
For example: |
| surname | sstReseller | |
|
Surname.
For example: |
| description | sstReseller | |
|
The description of the leaf.
For example: |
| sstIsActive | sstReseller | |
|
Is the entry active? Either TRUE (yes) or FALSE (no).
The default value is |
| sstIsCompany | sstReseller | |
|
Do we have an organisation or a private person? Either TRUE (yes) or FALSE (no).
The default value is |
| sstIsDefault | sstServiceConfigurationObjectClass | |
|
Is this leaf a default entry? Either TRUE (yes) or FALSE (no). If sstIsDefault is set to TRUE, this entry acts as a fall back configuration. In other words: If a reseller doesn't have his own Load Balancer as a Service (LBaaS) configuration, then this one will be used.
As you would normally have only one default configuration per cloud, the default value is |
| sstBelongsToResellerUID | sstReseller | |
|
Stores the reseller UID the leaf belongs to. A unique value with 7 digits or more.
For example: |
Legend:
- x: Mandatory in all cases.
- x1: If
sstIsCompanyis set toTRUE, theorganizationNamemust be set. OtherwisegivenNameandsurnamemust be set.
Load Balancer as a Service (LBaaS) - Accounts
The sub tree for the accounts of the Load Balancer as a Service (LBaaS):
dn: ou=accounts,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit ou: accounts description: The sub tree for the accounts of the Load Balancer as a Service (LBaaS).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| ou | organizationalUnit | |
|
The name of the leaf.
In this case: |
| description | organizationalUnit | |
|
The description of the leaf.
In this case: |
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Account example
The following example shows the OpenLDAP directory entry for the Load Balancer as a Service (LBaaS) account with the uid number 4000005:
dn: uid=4000005,ou=accounts,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: account objectclass: sstLBaaS objectclass: sstRelationship uid: 4000005 description: www.example.com (sst-int-001, sst-int-002) # Human readable description: fqdn (backend host 1, backend host 1) sstIsActive: TRUE sstLBaaSFrontendURI: https://www.example.com/ # Uniform Resource Identifier with optional label. sstLBaaSFrontendURI: https://example.com/ # Uniform Resource Identifier with optional label. sstLBaaSFrontendURI: https://api.example.com/ # Uniform Resource Identifier with optional label. sstLBaaSBackendURI: https://sst-int-001.os.stoney-cloud.com/ # Uniform Resource Identifier with optional label of the first backend host. sstLBaaSBackendURI: https://sst-int-002.os.stoney-cloud.com/ # Uniform Resource Identifier with optional label of the second backend host. sstLBaaSHost: haproxy-001.os.stoney-cloud.com # Fully qualified domain name (FQDN) of the first HAProxy server. sstLBaaSHost: haproxy-002.os.stoney-cloud.com # Fully qualified domain name (FQDN) of the second HAProxy server. sstBelongsToResellerUID: 4000000 sstBelongsToCustomerUID: 4000001 sstBelongsToServiceUID: 4000003 # The service belongs to the first backend host defined in the variabe (sstLBaaSBackendURI: https://sst-int-001.os.stoney-cloud.com/). sstBelongsToServiceUID: 4000004 # The service belongs to the second backend host defined in the variabe (sstLBaaSBackendURI: https://sst-int-002.os.stoney-cloud.com/).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description | |
|---|---|---|---|---|---|
| uid | account | |
|
The unique identifier (uid). This attribute is created by the Self-Service interface by reading (and incrementing) the next free uid from <cod>cn=nextfreeuid,ou=administration,dc=stoney-cloud,dc=org</code>. | |
| description | account | |
|
Human readable description: fqdn (backend host 1, backend host 1).
For example: |
|
| sstIsActive | sstRelationship | |
|
Is the Load Balancer as a Service (LBaaS) account active? Either TRUE (yes) or FALSE (no). Default is TRUE (yes).
| |
| sstLBaaSFrontendURI | sstLBaaS | |
|
This multi-valued attribute stores one or more Load Balancer as a Service (LBaaS) frontend servers in the form of a Uniform Resource Identifier with optional label. Some examples: | |
| sstLBaaSBackendURI | sstLBaaS | |
|
This multi-valued attribute stores one or more Load Balancer as a Service (LBaaS) backend servers in the form of a Uniform Resource Identifier with optional label. Some examples: | |
| sstLBaaSHost | sstLBaaS | |
|
This multi-valued attribute stores one or more Load Balancer as a Service (LBaaS) servers in the form of a fully qualified domain name. Some examples:
| |
| sstBelongsToResellerUID | sstRelationship | |
|
Stores the reseller UID the leaf belongs to. | |
| sstBelongsToCustomerUID | sstRelationship | |
|
Stores the customer UID the leaf belongs to. | |
| sstBelongsToServiceUID | sstRelationship | |
|
Stores the service UID(s) this entry belongs to. The service belongs to the backend host(s) defined in the variable(s) (sstLBaaSBackendURI). This multi-valued attribute can point to multiple services (one or more LBaaS backends). Some examples:
|
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Account example (with pam_ldap attributes, currently not used and implemented)
The following example shows the OpenLDAP directory entry for the Load Balancer as a Service (LBaaS) account with the uid number 3730083:
dn: uid=3730083,ou=accounts,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: account objectclass: posixAccount objectclass: shadowAccount objectclass: sstLBaaS objectclass: sstProvisioning objectclass: sstRelationship uid: 3730083 userPassword: {SSHA}E/KLUgeAtApAPQ7mG2GMddCxTE9m9QOS uidNumber: 3730083 gidNumber: 3730083 cn: 3730083 gecos: Example Ltd. (www.example.com) # This appears in the 'getent passwd' output. Company name and the main fully qualified domain name (FQDN). homeDirectory: /home/3730083 loginShell: /bin/false shadowFlag: 134539460 shadowLastChange: 11108 shadowMax: 99999 shadowWarning: 7 sstIsActive: TRUE sstLBaaSFrontendURI: https://www.example.com/ # Uniform Resource Identifier with optional label. sstLBaaSFrontendURI: https://example.com/ # Uniform Resource Identifier with optional label. sstLBaaSFrontendURI: https://api.example.com/ # Uniform Resource Identifier with optional label. sstLBaaSBackendURI: https://sst-int-001.os.stoney-cloud.com/ # Uniform Resource Identifier with optional label. sstLBaaSBackendURI: https://sst-int-002.os.stoney-cloud.com/ # Uniform Resource Identifier with optional label. sstLBaaSHost: haproxy-001.os.stoney-cloud.com # Fully qualified domain name (FQDN). sstLBaaSHost: haproxy-002.os.stoney-cloud.com # Fully qualified domain name (FQDN). sstProvisioningMode: add sstProvisioningExecutionDate: 0 sstProvisioningState: 0 sstBelongsToResellerUID: 4000000 sstBelongsToCustomerUID: 4000001 sstBelongsToServiceUID: 4000003 # The service belongs to the backend host defined in the variabe (sstLBaaSBackendURI: https://sst-int-001.os.stoney-cloud.com/). sstBelongsToServiceUID: 4000004 # The service belongs to the backend host defined in the variabe (sstLBaaSBackendURI: https://sst-int-002.os.stoney-cloud.com/).
The LDIF above can be queried via the cli command getent passwd:
getent passwd 3730083
This will result in the following output:
# .----------------------------------------------------------------------------- login name # | .----------------------------------------------------------------------- encrypted password indicator # | | .--------------------------------------------------------------------- numerical user ID # | | | .------------------------------------------------------------- numerical group ID # | | | | .----------------------------------------------------- gecos field (the typical format is a comma-delimited list) # | | | | | .---------------------- user home directory # | | | | | | .-------- user command interpreter # | | | | | | | # | | | | | | | 3730083:x:3730083:3730083:Example Ltd. (www.example.com):/home/3730083:/bin/false
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| uid | account | |
|
The unique identifier (uid). This attribute is created by the Self-Service interface by reading (and incrementing) the next free uid from <cod>cn=nextfreeuid,ou=administration,dc=stoney-cloud,dc=org</code>. |
| userPassword | posixAccount | |
|
Identifies the entry's password and encryption method in the following format: {encryption method}encrypted password.
For example: |
| uidNumber | posixAccount | |
|
Related to the /etc/shadow file, this attribute specifies the user's login ID. Has the same value as the uid. For example: 3730083.
|
| gidNumber | posixAccount | |
|
Group ID number. Has the same value as the uid. For example: 3730083.
|
| cn | posixAccount | |
|
As we don't use this attribute (but the attribute is mandatory), we set this to uid value. For example: 3730083.
|
| gecos | posixAccount | |
|
Named for historical reasons, the GECOS field is mandatory and is used to store extra information (such as the user's full name). Utilities such as finger or getent access this field to provide additional user information. For a personal account, this entry would consist of givenName and surname, for example Michael Eichenberger. These values are taken from the owners entry (ou=people). For a service account, the attribute sstDisplayName from the corresponding service would be used for the content of this attribute. Please be aware, that this attribute is a IA5String (OID=1.3.6.1.4.1.1466.115.121.1.26) IA5 (almost ASCII) character set (7-bit). Does NOT allow extended characters e.g. é, Ø, å etc. The Self-Service interface automatically creates the content of this attribute. Consists of the uid and the domain stoney-wiki.com. For example: 3730083.stoney-wiki.com.
You can use: This appears in the 'getent passwd' output. Company name and the main fully qualified domain name (FQDN). For example: |
| homeDirectory | posixAccount | |
|
The directory path corresponds with the 7 digit account uid. The following example describes, how the directory structure is built up for the account with the uid 3730083.
|
| loginShell | posixAccount | |
|
The path to the login shell. The default is /bin/false and must not be changed.
|
| shadowFlag | shadowAccount | |
|
Related to the /etc/shadow file, this attribute is currently not used and is reserved for future use. The default is set to 134539460.
|
| shadowLastChange | shadowAccount | |
|
Related to the /etc/shadow file, this attribute specifies number of days between January 1, 1970, and the date that the password was last modified. Must be set to the day, that the password was set (must be updated, when the password is changed).
To create this value, you can use: |
| shadowMax | shadowAccount | |
|
Related to the /etc/shadow file, this attribute specifies the maximum number of days the password is valid. The default is 99999, which corresponds to about 273 years. In reality, this means, that the user does not need to change the password.
|
| shadowWarning | shadowAccount | |
|
Related to the /etc/shadow file, this attribute specifies the number of days before the password expires that the user is warned. The default is 7.
|
| sstIsActive | sstRelationship | |
|
Is the Load Balancer as a Service (LBaaS) account active? Either TRUE (yes) or FALSE (no). Default is TRUE (yes).
|
| sstLBaaSFrontendURI | sstLBaaS | |
|
This multi-valued attribute stores one or more Load Balancer as a Service (LBaaS) frontend servers in the form of a Uniform Resource Identifier with optional label. Some examples: |
| sstLBaaSBackendURI | sstLBaaS | |
|
This multi-valued attribute stores one or more Load Balancer as a Service (LBaaS) backend servers in the form of a Uniform Resource Identifier with optional label. Some examples: |
| sstLBaaSHost | sstLBaaS | |
|
This multi-valued attribute stores one or more Load Balancer as a Service (LBaaS) servers in the form of a fully qualified domain name. Some examples:
|
| sstProvisioningMode | sstProvisioning | |
|
The provisioning mode, either add, modify or delete. For a new account, this attribute must be set to add. See Provisioning for details.
|
| sstProvisioningExecutionDate | sstProvisioning | |
|
The date the provisioning shall occur in the form of [YYYY][MM][DD] (ISO 8601). For a new account, this attribute must be set to 0. See Provisioning for details. |
| sstProvisioningReturnValue | sstProvisioning | |
|
The provisioning return value written by the prov-wiki-mediawiki daemon. 0 means success, >0 means failure. See the prov-wiki-mediawiki Exit Codes for detailed information. |
| sstProvisioningState | sstProvisioning | |
|
The provisioning state, either 0 or in the form of [YYYY][MM][DD]T[hh][mm][ss] (ISO 8601). For a new account, this attribute must be set to 0. See Provisioning for details. |
| sstBelongsToResellerUID | sstRelationship | |
|
Stores the reseller UID the leaf belongs to. |
| sstBelongsToCustomerUID | sstRelationship | |
|
Stores the customer UID the leaf belongs to. |
| sstBelongsToServiceUID | sstRelationship | |
|
Stores the service UID(s) this entry belongs to. The service belongs to the backend host(s) defined in the variable(s) (sstLBaaSBackendURI). This multi-valued attribute can point to multiple services (one or more LBaaS backends). |
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Groups
The sub tree for the groups of the Load Balancer as a Service (LBaaS):
dn: ou=groups,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalUnit ou: groups description: The sub tree for the groups of the Load Balancer as a Service (LBaaS).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| ou | organizationalUnit | |
|
The name of the leaf.
In this case: |
| description | organizationalUnit | |
|
The description of the leaf.
In this case: |
Legend:
- x: Mandatory in all cases.
Load Balancer as a Service (LBaaS) - Group example (with pam_ldap attributes, currently not used and implemented)
The following example shows the OpenLDAP directory entry for the Load Balancer as a Service (LBaaS) group with the uid number 3730083:
dn: cn=3730083,ou=groups,ou=lbaas,ou=services,dc=stoney-cloud,dc=org objectclass: top objectclass: posixGroup objectclass: sstRelationship cn: 3730083 gidNumber: 3730083 sstBelongsToResellerUID: 4000000 sstBelongsToCustomerUID: 4000001 sstBelongsToServiceUID: 4000003 # The service belongs to the backend host defined in the variabe (sstLBaaSBackendURI: https://sst-int-001.os.stoney-cloud.com/). sstBelongsToServiceUID: 4000004 # The service belongs to the backend host defined in the variabe (sstLBaaSBackendURI: https://sst-int-002.os.stoney-cloud.com/).
The following table describes the different attributes:
| Attribute | Objectclass | Existance | Mandatory | Description |
|---|---|---|---|---|
| cn | posixGroup | |
|
As we don't use this attribute (but the attribute is mandatory and is part of the dn), we set this to uid value. For example: 3730083.
|
| gidNumber | posixGroup | |
|
The numerical group ID of the Load Balancer as a Service (LBaaS) group. |
| sstBelongsToResellerUID | sstRelationship | |
|
Stores the reseller UID the leaf belongs to. |
| sstBelongsToCustomerUID | sstRelationship | |
|
Stores the customer UID the leaf belongs to. |
| sstBelongsToServiceUID | sstRelationship | |
|
Stores the service UID(s) this entry belongs to. The service belongs to the backend host(s) defined in the variable(s) (sstLBaaSBackendURI). This multi-valued attribute can point to multiple services (one or more LBaaS backends). |
Legend:
- x: Mandatory in all cases.
