generated from coulomb/repo-seed
feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy
- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow - T02: spec/canonical-model.yaml with 6 entities + Go domain types - T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules - T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers 28 tests pass, go vet clean, go build clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
91
spec/ldap-schema.yaml
Normal file
91
spec/ldap-schema.yaml
Normal file
@@ -0,0 +1,91 @@
|
||||
version: "0.1"
|
||||
description: >
|
||||
Canonical LDAP Schema for KeyCape / NetKingdom IAM Profile.
|
||||
Expresses the canonical identity model in LDAP terms.
|
||||
Portable across LLDAP, OpenLDAP, 389DS, and Active Directory.
|
||||
|
||||
base_dn: "dc=netkingdom,dc=local"
|
||||
|
||||
organization_units:
|
||||
users:
|
||||
dn: "ou=users,dc=netkingdom,dc=local"
|
||||
description: "User accounts"
|
||||
object_classes:
|
||||
required:
|
||||
- inetOrgPerson
|
||||
- organizationalPerson
|
||||
- person
|
||||
- top
|
||||
attributes:
|
||||
required:
|
||||
- uid # canonical: username
|
||||
- cn # canonical: displayName
|
||||
- sn # canonical: surname (may be set to displayName if absent)
|
||||
optional:
|
||||
- mail # canonical: email
|
||||
- memberOf # back-reference to group membership
|
||||
forbidden: []
|
||||
naming_attr: uid
|
||||
examples:
|
||||
- dn: "uid=alice,ou=users,dc=netkingdom,dc=local"
|
||||
uid: alice
|
||||
cn: "Alice Example"
|
||||
sn: Example
|
||||
mail: alice@example.com
|
||||
|
||||
groups:
|
||||
dn: "ou=groups,dc=netkingdom,dc=local"
|
||||
description: "User groups"
|
||||
object_classes:
|
||||
required:
|
||||
- groupOfNames
|
||||
- top
|
||||
attributes:
|
||||
required:
|
||||
- cn # canonical: name
|
||||
- member # list of member DNs
|
||||
optional:
|
||||
- description
|
||||
forbidden: []
|
||||
naming_attr: cn
|
||||
examples:
|
||||
- dn: "cn=admins,ou=groups,dc=netkingdom,dc=local"
|
||||
cn: admins
|
||||
member:
|
||||
- "uid=alice,ou=users,dc=netkingdom,dc=local"
|
||||
|
||||
clients:
|
||||
dn: "ou=clients,dc=netkingdom,dc=local"
|
||||
description: "OIDC client registrations"
|
||||
object_classes:
|
||||
required:
|
||||
- inetOrgPerson
|
||||
- top
|
||||
attributes:
|
||||
required:
|
||||
- uid # canonical: clientId
|
||||
- cn # canonical: displayName
|
||||
optional:
|
||||
- description
|
||||
forbidden: []
|
||||
naming_attr: uid
|
||||
|
||||
validation_rules:
|
||||
structural:
|
||||
- name: valid_dn_structure
|
||||
description: "All DNs must conform to the base_dn and OU layout above."
|
||||
- name: required_attributes_present
|
||||
description: "Every entry must carry all required attributes for its OU."
|
||||
- name: no_unknown_attributes
|
||||
description: "No attributes outside the allowed set may appear."
|
||||
- name: valid_group_memberships
|
||||
description: "All member values must be non-empty valid DNs."
|
||||
semantic:
|
||||
- name: referenced_users_exist
|
||||
description: "Every user ID referenced in group members must exist."
|
||||
- name: no_cyclic_groups
|
||||
description: "Groups may not contain other group IDs as members."
|
||||
- name: usernames_unique
|
||||
description: "The uid attribute must be unique across ou=users."
|
||||
- name: email_format_valid
|
||||
description: "mail, when present, must be a valid RFC 5322 address."
|
||||
Reference in New Issue
Block a user