-
Notifications
You must be signed in to change notification settings - Fork 2
LDAP Structure
This article is intended to assist a user with the setup of their LDAP database. The script was written with a test LDAP database with a similar structure as the one described below.
The script assumes you have something like the following DNs underneath your base DN:
dc=company,dc=com-
o=Companyou=Groupsou=Usersou=Networks
Underneath ou=Groups will contain several DNs with the objectClass of groupOfUniqueNames. The group should also have the objectClass of extensibleObject, and should contain the members using uniqueMember and the corresponding network objects granted to those members using accessTo.
Here is an example LDIF export:
dn: cn=Developers,ou=Groups,o=Company,dc=company,dc=com
objectClass: extensibleObject
objectClass: top
objectClass: groupOfUniqueNames
cn: Developers
accessTo: cn=RDS_Database1,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
accessTo: cn=VPC_QA-Subnet,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
accessTo: cn=EC2_instance1,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
uniqueMember: uid=developer1,ou=Users,o=Company,dc=company,dc=com
uniqueMember: uid=developer2,ou=Users,o=Company,dc=company,dc=com
Underneath ou=Users will contain user objects identified uniquely using uid, although this can depend. The PHP connect script will check whether the user has any custom accessTo definitions embedded in their user profile. The purpose of this is to give a user access to something that doesn't necessarily fit into a group definition.
Here is an example LDIF export:
dn: uid=example.user,ou=Users,o=Company,dc=company,dc=com
objectClass: extensibleObject
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Example User
sn: User
accessTo: cn=VPC_Admin-Subnet,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
accessTo: cn=RDS_Database2,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
givenName: Example
mail: example.user@company.com
uid: example.user
This segment of the LDAP database contains the most important part: the definitions of what instances you want to grant access to. The example LDAP structure contains two DNs underneath ou=Networks to place IPv4 and IPv6 entries similar to the following:
ou=Networksou=IPv4ou=IPv6
Each entry underneath the IPv4 and IPv6 DNs should be an objectClass of the ipNetwork type. The ipNetworkNumber can either can an IP address or DNS name, and the ipNetmaskNumber should be a CIDR prefix.
Here is an example LDIF export of an individual instance:
dn: EC2_instance1,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipNetwork
cn: EC2_instance1
ipNetworkNumber: 10.0.0.10
ipNetmaskNumber: 32
Here is an example LDIF export of an entire subnet:
dn: cn=VPC_QA-Subnet,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipNetwork
cn: cn=VPC_QA-Subnet
ipNetworkNumber: 10.20.0.0
ipNetmaskNumber: 27
Using those examples, the script assumes access over all ports and all protocols.
If you want to grant access to resource only on certain ports / protocols the PHP script also accounts for that possibility. To grant access to a resource or subnet on a specific port, simply create a DN with an objectClass of ipService underneath the resource entry. There you can specify the ipServicePort and ipServiceProtocol for IPTables to process.
Here is an example LDIF export of an individual DNS instance, and its subentries, where access is only granted to TCP/53 and UDP/53:
dn: cn=EC2_DNS-Server,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipNetwork
cn: EC2_DNS-Server
ipNetworkNumber: 10.30.0.10
ipNetmaskNumber: 32
dn: cn=TCP/53,cn=EC2_DNS-Server,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipService
cn: TCP/53
ipServicePort: 53
ipServiceProtocol: tcp
dn: cn=UDP/53,cn=EC2_DNS-Server,ou=IPv4,ou=Networks,o=Company,dc=company,dc=com
objectClass: top
objectClass: ipService
cn: UDP/53
ipServicePort: 53
ipServiceProtocol: udp