Best practices in storing user device data - openldap-technical

13 Jun 2020


      Hello everyone,
In our (non-profit, research) organization we are already using OpenLDAP 
for many years, storing people data and dns records (LDAP-based DNS server).
We are now looking into how we could organize our LDAP DIT in order to 
store device data (descriptions, MAC addresses, IP Addresses).
The idea is to be able to use the DIT for combined and/or independent 
user- and device- based authentication throughout the network (e.g. 
using TACACS, Radius pulling data from LDAP DIT or elsewhere).
Currently we are storing data about devices (IP and MAC) Addresses using 
phpIPAM and NetDisco open source software, so data is stored in 
relational databases (postgresql on NetDisco, MySQL on phpIPAM), yet 
network-related data is not directly (i.e. integrated in db schemas) 
associated to users (except in descriptions).
In phpIPAM we are organizing our IP Spaces (public and private). 
NetDisco uses SNMP to scan the network and automatically associate 
end-devices ("nodes") to switches ("devices") and MAC addresses to IP 
addresses.
We are currently investigating whether we should:
1. Store device data in the DIT as part of user records. Thus, each
    user entry would also include info about the devices the user is
    responsible for, most importantly IP Addresses assigned to them and
    MAC addresses. Is this approach considered sane? If so, which Object
    Class(es) would serve this need?
2. Store data in a separate branch, for example:
dn: cn=devicexxx,ou=Nodes,dc=example,dc=com
objectClass: device
    objectClass: ieee802Device
    objectClass: radiusprofile
    objectClass: simpleSecurityObject
    objectClass: top
    cn: devicexxx
    description: Main Server at Net Lab
    l: Main Campus
    macAddress: 00:24:8c:3c:xx:xx
    ou: tech
    owner: cn=TechAdmins,ou=Groups,dc=example,dc=com
    radiusArapSecurity: 195.xxx.xxx.1
    radiusArapZoneAccess: 255.255.255.128
    radiusFramedIPAddress: 195.xxx.xxx.63
    radiusHint: 50004
    radiusNASIpAddress: 195.xxx.xxx.125
    radiusTerminationAction: 33
    radiusTunnelMediumType: IEEE-802
    radiusTunnelPrivateGroupId: 1
    radiusTunnelType: VLAN
    userPassword:: ****************
We have successfully tried this approach using FreeRadius and Cisco
    2960 switches but I didn't find this solution ideal/intuitive,
    especially because devices are totally dis-associated from users.
It seems to be more natural to authenticate users based on their
    personal (ldap-based) credentials and devices based on their MAC
    addresses alone.
But of course, I may be wrong...
3. Use an non-LDAP store, e.g. MySQL.
I would be grateful to people here who have already dealt with this 
issue and would be eager to share their experience.
Any reference(s) to relevant documents regarding the above will be 
valuable too!
Thanks in advance.
Cheers,
Nick