4. LDAP Data Model¶
Keeto obtains all access permissions and the key material from a central Directory Service. This section describes syntax and semantic of the entities involved and how they relate to each other. Certain attributes can be configured in the Keeto configuration file. Those attributes are of the form <x> where x is referring to the key in the Keeto configuration file.
4.1. SSH Server¶
The SSH server entry is the starting point for the determination of access permissions and key material. It specifies the relevant access profiles that shall be taken into account. Keeto locates the right SSH server entry through a unique identifier that is specified in the Keeto configuration file and must match the identifier within the SSH server entry in the Directory Service.
objectClass: top
objectClass: keetoSSHServer
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
cn | yes | no | RDN of SSH server entry. |
uid | yes | no | Unique identifier of SSH server. See also: <ldap_ssh_server_uid>. |
keetoAccessProfile | no | no | DN to Keeto access profile. |
description | no | no | SSH server description. |
4.2. Access Profiles¶
Keeto supports two different access profiles. Direct access profiles provide access to one’s own account whereas access on behalf profiles provide access to someone else’s account.
4.2.1. Direct Access Profile¶
A direct access profile specifies references to key providers either directly or through groups that shall be able to login with it’s own account. Each key provider’s UID is checked against the UID of the user about to login. If they match the X.509 certificates of the key provider will be taken into account. Optionally keystore options can be specified that are used for all key providers. A direct access profile can be enabled/disabled.
objectClass: top
objectClass: keetoAccessProfile
objectClass: keetoDirectAccessProfile
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
cn | yes | no | RDN of direct access profile entry. |
keetoEnabled | yes | yes | Enable/Disable access profile. |
keetoKeyProvider | no | no | DN to Keeto key provider. |
keetoKeyProviderGroup | no | no | DN to Keeto key provider group. |
keetoKeystoreOptions | no | yes | DN to Keeto keystore options. |
description | no | no | Direct access profile description. |
4.2.2. Access On Behalf Profile¶
Access on behalf profiles enable authentication on behalf of someone else. For that the UID of the user about to login is searched in the target keystores which are either directly linked to the profile or through groups. On match all valid keys of all key providers are synced into that target keystore. As with direct access profiles keystore options can be specified optionally and the profile can be enabled/disabled.
objectClass: top
objectClass: keetoAccessProfile
objectClass: keetoAccessOnBehalfProfile
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
cn | yes | no | RDN of access on behalf profile entry. |
keetoEnabled | yes | yes | Enable/Disable access profile. |
keetoKeyProvider | no | no | DN to Keeto key provider. |
keetoKeyProviderGroup | no | no | DN to Keeto key provider group. |
keetoTargetKeystore | no | no | DN to Keeto target keystore. |
keetoTargetKeystoreGroup | no | no | DN to Keeto target keystore group. |
keetoKeystoreOptions | no | yes | DN to Keeto keystore options. |
description | no | no | Access on behalf profile description. |
4.3. Key Provider¶
A key provider is an entry that provides the key material through X.509 certificate(s). All relevant attributes are specified in the Keeto configuration file to adjust it to different deployments. Key providers are relevant for both direct access profiles and access on behalf profiles.
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
<ldap_key_provider_uid_attr> | yes | no | UID of key provider. |
<ldap_key_provider_cert_attr> | yes | no | X.509 certificate of user. |
4.4. Target Keystore¶
A target keystore is only relevant for access on behalf profiles. It specifies the accounts that can be used on behalf of the key providers.
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
<ldap_target_keystore_uid_attr> | yes | no | UID of target keystore. |
4.5. Groups¶
Key providers and target keystores can be linked to an access profile throug groups. For both cases the group member attribute is specified in the Keeto configuration file.
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
<ldap_key_provider_group_member_attr> / <ldap_target_keystore_group_member_attr> |
yes | no | DN to key provider/target keystore. |
4.6. Keystore Options¶
Keystore options can be optionally specified and linked to access profiles to restrict access with regard to the location a user is connecting from and the space of commands he is allowed to execute.
objectClass: top
objectClass: keetoKeystoreOptions
Attribute | Mandatory | Single-Value | Description |
---|---|---|---|
cn | yes | no | RDN of keystore options entry. |
keetoKeystoreOptionFrom | no | yes | authorized_keys ‘from’ option entry. See also: man sshd. |
keetoKeystoreOptionCommand | no | yes | authorized_keys ‘command’ option entry. See also: man sshd. |
description | no | no | Keystore options description. |