version: "0.1"
description: >
  Canonical LDAP Schema for KeyCape / NetKingdom IAM Profile.
  Expresses the canonical identity model in LDAP terms.
  Portable across LLDAP, OpenLDAP, 389DS, and Active Directory.

base_dn: "dc=netkingdom,dc=local"

organization_units:
  users:
    dn: "ou=users,dc=netkingdom,dc=local"
    description: "User accounts"
    object_classes:
      required:
        - inetOrgPerson
        - organizationalPerson
        - person
        - top
    attributes:
      required:
        - uid    # canonical: username
        - cn     # canonical: displayName
        - sn     # canonical: surname (may be set to displayName if absent)
      optional:
        - mail       # canonical: email
        - memberOf   # back-reference to group membership
      forbidden: []
    naming_attr: uid
    examples:
      - dn: "uid=alice,ou=users,dc=netkingdom,dc=local"
        uid: alice
        cn: "Alice Example"
        sn: Example
        mail: alice@example.com

  groups:
    dn: "ou=groups,dc=netkingdom,dc=local"
    description: "User groups"
    object_classes:
      required:
        - groupOfNames
        - top
    attributes:
      required:
        - cn      # canonical: name
        - member  # list of member DNs
      optional:
        - description
      forbidden: []
    naming_attr: cn
    examples:
      - dn: "cn=admins,ou=groups,dc=netkingdom,dc=local"
        cn: admins
        member:
          - "uid=alice,ou=users,dc=netkingdom,dc=local"

  clients:
    dn: "ou=clients,dc=netkingdom,dc=local"
    description: "OIDC client registrations"
    object_classes:
      required:
        - inetOrgPerson
        - top
    attributes:
      required:
        - uid  # canonical: clientId
        - cn   # canonical: displayName
      optional:
        - description
      forbidden: []
    naming_attr: uid

validation_rules:
  structural:
    - name: valid_dn_structure
      description: "All DNs must conform to the base_dn and OU layout above."
    - name: required_attributes_present
      description: "Every entry must carry all required attributes for its OU."
    - name: no_unknown_attributes
      description: "No attributes outside the allowed set may appear."
    - name: valid_group_memberships
      description: "All member values must be non-empty valid DNs."
  semantic:
    - name: referenced_users_exist
      description: "Every user ID referenced in group members must exist."
    - name: no_cyclic_groups
      description: "Groups may not contain other group IDs as members."
    - name: usernames_unique
      description: "The uid attribute must be unique across ou=users."
    - name: email_format_valid
      description: "mail, when present, must be a valid RFC 5322 address."