LDAP Directory Information Tree

This document describes how the debops.sssd Ansible role fits in the LDAP directory structure organized by DebOps.

Directory structure

Object Classes and Attributes

Access Control

The DebOps LDAP environment includes the 'ldapns' schema which can be used to define access control rules to services. The lists below define the attribute values which will grant access to the service managed by the debops.sssd role, and specifies other roles with the same access control rules:

  • objectClass hostObject, attribute host:
    • posix:all (all hosts)
    • posix:hostname.example.org
    • posix:*.example.org
    • posix:urn:<pattern> (see sssd__ldap_posix_urns variable)

LDAP filter definition: sssd__ldap_host_filter

These rules apply to UNIX accounts (passwd database) as well as UNIX groups (group database). UNIX accounts or group without the specified host attribute values will not be present on a given host.

Child nodes

There are no child nodes defined for the debops.sssd Ansible role.