generated from coulomb/repo-seed
tegwick
329e996619
- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow - T02: spec/canonical-model.yaml with 6 entities + Go domain types - T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules - T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers 28 tests pass, go vet clean, go build clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
92 lines
2.7 KiB
YAML
92 lines
2.7 KiB
YAML
version: "0.1"
|
|
description: >
|
|
Canonical LDAP Schema for KeyCape / NetKingdom IAM Profile.
|
|
Expresses the canonical identity model in LDAP terms.
|
|
Portable across LLDAP, OpenLDAP, 389DS, and Active Directory.
|
|
|
|
base_dn: "dc=netkingdom,dc=local"
|
|
|
|
organization_units:
|
|
users:
|
|
dn: "ou=users,dc=netkingdom,dc=local"
|
|
description: "User accounts"
|
|
object_classes:
|
|
required:
|
|
- inetOrgPerson
|
|
- organizationalPerson
|
|
- person
|
|
- top
|
|
attributes:
|
|
required:
|
|
- uid # canonical: username
|
|
- cn # canonical: displayName
|
|
- sn # canonical: surname (may be set to displayName if absent)
|
|
optional:
|
|
- mail # canonical: email
|
|
- memberOf # back-reference to group membership
|
|
forbidden: []
|
|
naming_attr: uid
|
|
examples:
|
|
- dn: "uid=alice,ou=users,dc=netkingdom,dc=local"
|
|
uid: alice
|
|
cn: "Alice Example"
|
|
sn: Example
|
|
mail: alice@example.com
|
|
|
|
groups:
|
|
dn: "ou=groups,dc=netkingdom,dc=local"
|
|
description: "User groups"
|
|
object_classes:
|
|
required:
|
|
- groupOfNames
|
|
- top
|
|
attributes:
|
|
required:
|
|
- cn # canonical: name
|
|
- member # list of member DNs
|
|
optional:
|
|
- description
|
|
forbidden: []
|
|
naming_attr: cn
|
|
examples:
|
|
- dn: "cn=admins,ou=groups,dc=netkingdom,dc=local"
|
|
cn: admins
|
|
member:
|
|
- "uid=alice,ou=users,dc=netkingdom,dc=local"
|
|
|
|
clients:
|
|
dn: "ou=clients,dc=netkingdom,dc=local"
|
|
description: "OIDC client registrations"
|
|
object_classes:
|
|
required:
|
|
- inetOrgPerson
|
|
- top
|
|
attributes:
|
|
required:
|
|
- uid # canonical: clientId
|
|
- cn # canonical: displayName
|
|
optional:
|
|
- description
|
|
forbidden: []
|
|
naming_attr: uid
|
|
|
|
validation_rules:
|
|
structural:
|
|
- name: valid_dn_structure
|
|
description: "All DNs must conform to the base_dn and OU layout above."
|
|
- name: required_attributes_present
|
|
description: "Every entry must carry all required attributes for its OU."
|
|
- name: no_unknown_attributes
|
|
description: "No attributes outside the allowed set may appear."
|
|
- name: valid_group_memberships
|
|
description: "All member values must be non-empty valid DNs."
|
|
semantic:
|
|
- name: referenced_users_exist
|
|
description: "Every user ID referenced in group members must exist."
|
|
- name: no_cyclic_groups
|
|
description: "Groups may not contain other group IDs as members."
|
|
- name: usernames_unique
|
|
description: "The uid attribute must be unique across ou=users."
|
|
- name: email_format_valid
|
|
description: "mail, when present, must be a valid RFC 5322 address."
|