These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

LDAP01/LDIF Schema

Classnotes | LDAP01 | RecentChanges | Preferences
Difference (from prior major revision) (no other diffs)

Changed: 21c21,43
;Sun Microsystems Product Documentation http://docs.sun.com/ : The SunOne? Directory Server (formerly owned by Netscape Communications) includes a large set of reference documentation on various LDAP schema items.
;Sun Microsystems Product Documentation http://docs.sun.com/ : The SunOne? Directory Server (formerly owned by Netscape Communications) includes a large set of reference documentation on various LDAP schema items.

Perusing the Default Schema Files




Let's take a moment and familiarize ourselves with the schema files included by default with OpenLDAP. These schemas are stored in /etc/ldap/schema under Debian.

root@rygel:/etc/ldap/schema# ls -la
total 156
drwxr-xr-x 2 root root 4096 Sep 22 11:58 .
drwxr-xr-x 3 root root 4096 Sep 22 11:58 ..
-rw-r--r-- 1 root root 2736 Jul 16 07:33 README
-rw-r--r-- 1 root root 7531 Jul 16 07:33 corba.schema
-rw-r--r-- 1 root root 17290 Jul 16 07:33 core.schema
-rw-r--r-- 1 root root 73498 Jul 16 07:33 cosine.schema
-rw-r--r-- 1 root root 5826 Jul 16 07:33 inetorgperson.schema
-rw-r--r-- 1 root root 13438 Jul 16 07:33 java.schema
-rw-r--r-- 1 root root 1701 Jul 16 07:33 misc.schema
-rw-r--r-- 1 root root 7196 Jul 16 07:33 nis.schema
-rw-r--r-- 1 root root 1116 Jul 16 07:33 openldap.schema

Take a look at the README file now.

Now, examine some of the attribute definitions in core.schema. Specifically, it would be good to disect 'streetAddress', 'description', 'name' and those attributes derived from 'name'.

dc Attribute

Returning to our top-most entry for Odyssey, INC.'s LDAP directory, we can now explain the meaning of the domain object class and the dc attribute. Here is our LDIF listing for this entry 
 # LDIF listing for DN for Odyssey, Inc.
 dn: dc=odyssey,dc=com
 objectClass: domain
 dc: odyssey

The original recommendation for dividing the X.500 namespace ws based on geographic and national regions. You frequently see this convention in LDAP directories as well. However, there is no central means of registering such names, and therefore no general way to refer to the naming context of a directory server. RFC 2247 introduced a system by which LDAP directory naming contexts can be piggybacked on top of an existing DNS infrastructure. Because DNS domain names are supposed to be unique across the Internet and can be located easily, mapping an organization's name to an LDAP DN provides a simple way of determining the base suffix by a directory and ensures that the naming context will be globally unique.

To support mapping between a DNS domain name and an LDAP directory namespace, RFC 2247 defines two objects for storing domain components:

dcObject
This is an auxiliary class to augment an existing entry containing organizational information (e.g., an organizationalUnit).
doman
This object class acts as a standalone container for both the organizational information and the domain name component (i.e., the dc attribute).

Schema References

So now we have seen several RFC defined schemas, and we have seen several defined and derived attributes. But one of the most frequent questions asked by new LDAP administrators is, "What do all these abbreviations mean?" Another question usually follows, "How does my organization use all these attributes?"

As this is an extensible system, there is no one source defining all possible LDAPv3 attribute types. However, there are number of online resources which can be consulted to cover the most common schema items:

LDAPv3 RFCs
RFC 3377, RFC 2256, RFC 2247 and others can be found which detail many of the schemas in use today.
LDAP Schema Viewer http://ldap.akbkhome.com/
This site, maintained by Alan Knowles, provides a nice means of browsing descriptions and dependencies among common LDAP items.
Object Identifiers Registry http://www.alvestrand.no/objectid/
This is useful in tracking down the owner of specific OID arcs.
Sun Microsystems Product Documentation http://docs.sun.com/
The SunOne? Directory Server (formerly owned by Netscape Communications) includes a large set of reference documentation on various LDAP schema items.

Perusing the Default Schema Files

Let's take a moment and familiarize ourselves with the schema files included by default with OpenLDAP. These schemas are stored in /etc/ldap/schema under Debian. 

 root@rygel:/etc/ldap/schema# ls -la
 total 156
 drwxr-xr-x    2 root     root         4096 Sep 22 11:58 .
 drwxr-xr-x    3 root     root         4096 Sep 22 11:58 ..
 -rw-r--r--    1 root     root         2736 Jul 16 07:33 README
 -rw-r--r--    1 root     root         7531 Jul 16 07:33 corba.schema
 -rw-r--r--    1 root     root        17290 Jul 16 07:33 core.schema
 -rw-r--r--    1 root     root        73498 Jul 16 07:33 cosine.schema
 -rw-r--r--    1 root     root         5826 Jul 16 07:33 inetorgperson.schema
 -rw-r--r--    1 root     root        13438 Jul 16 07:33 java.schema
 -rw-r--r--    1 root     root         1701 Jul 16 07:33 misc.schema
 -rw-r--r--    1 root     root         7196 Jul 16 07:33 nis.schema
 -rw-r--r--    1 root     root         1116 Jul 16 07:33 openldap.schema

Take a look at the README file now.

Now, examine some of the attribute definitions in core.schema. Specifically, it would be good to disect 'streetAddress', 'description', 'name' and those attributes derived from 'name'.


Classnotes | LDAP01 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 22, 2003 7:03 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.