Currently an LDAP record for a user looks like this:
dn: uid=foo,ou=people,dc=wikimedia,dc=org sshPublicKey:: [base64-encoded SSH key] uid: foo cn: Foo sn: Foo loginShell: /bin/bash userPassword:: [base64-encoded password hash] homeDirectory: /home/foo uidNumber: 12345 gidNumber: 500 structuralObjectClass: inetOrgPerson pwdChangedTime: 20150401152756.248Z memberOf: [list of group DNs] objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ldapPublicKey objectClass: shadowAccount objectClass: posixAccount objectClass: top objectClass: wikimediaPerson description: something mail: foo@bar.org
(And in addition a ton of internal attributes like createTimestamp, EntryUUID, creatorsName, modifiersName, modifyTimestamp, entryCSN).
Since we want to manage several attributes more, we need to
- Figure out which are best served by currently unused attributes from core scheme
- For the rest deploy LDAP schema extensions to our LDAP servers