A detailed description of the schema in OpenLDAP

Source: Internet
Author: User
Tags extend ldap snmp openldap
A detailed introduction to schema in OpenLDAP 2007-06-18 16:47
Welcome to my technical blog, where new articles will be published. Welcome to our friends.

Original: Schema specification

(The article comes from the Nineth chapter of OpenLDAP's official document, just touching the schema design, so translating it helps to understand a lot of the details.) Rick. June 18, 2007)

This chapter describes how to extend the schema that users use. This chapter assumes that the reader is already familiar with the ldap/x.500 information model.

I. Schema file

Ii. Extension of Schema

The schema used by SLAPD can extend other syntax, match rules, attribute types, and object classes. This chapter will describe in detail how to add attribute types and classes to your app using SLAPD defined syntax and matching rules. SLAPD can also support additional syntax, matching rules and system schemas, but these need to be written in a programming, not discussed here.

To define a new schema:
1, obtain the object identification code obtain objects Identifer
2. Select a naming prefix choose a name prefix
3. Create a local schema file
4. Custom attribute Types
5. Custom object Classes

1. Object Identification Code

For each schema element, there is a globally unique object Identifier (OID). The OID is also used to identify other objects. (They is commonly found in protocols described by ASN.1). They take on important roles in the project. OIDs are graded. Your project can get an OID and then subdivide it. For example, the OID of your project is 1.1, you can divide the directory tree by this kind:

Table 8.2:oid Hierarchy Example
OID Assignment
1.1 Organization ' s OID
1.1.1 SNMP Elements
1.1.2 LDAP Elements Attributetypes MyAttribute Objectclasses Myobjectclass

Depending on your OID, you can design the OID tree arbitrarily for your project. No matter what level you choose, you should have a distribution level. This can be a text, or like OpenLDAP OID Registry. (http://www.openldap.org/faq/index.cgi?file=197)

More about OID identifiers (and list services) can view Http://www.alvestrand.no/harald/objectid/

You can get the OID for free, apply for an OID under the Internet Assigned Numbers Authority (IANA) maintained Private Enterprise arc. Any private enterprise (organization) may request a OID to is assigned under this arc. Just fill out the IANA form at http://www.iana.org/cgi-bin/enterprise.pl and your official OID would be sent to you usually Within a few days. Your base OID would be a something like where X was an integer.

Note: Instead of confusing the "mib/snmp" on the IANA, this form provides many uses, including identifying LDAP schema elements.

Of course, the OID namespace can be obtained from international authority. (e.g. ANSI, BSI)

2. Name Prefix

To add an identifier to each schema element, you see that you need to have at least one name for the schema element (textual name). This name is as much a description as possible and should not be duplicated with other names. And the name you choose does not clash with present or future standard track names.

To reduce (but not avoid) potential name collisions, a convenient way is to prefix the names with non-standard track, such as the letters that describe your current changes (with a few letters to localize the changes to your org anization). Organization, the smaller your prefix, the longer it will be.

In the example below, we chose "my" as the name prefix (to save space), so a short name would fit into a very large, global organization. In general, we use ' defirm ' (German Company), or ' comexample ' (elements associated with organization associated with example.com).

3. Local schema file

ObjectClass and attributetypes can be used to define rules for instances in the directory. Typically we create a file that contains a custom schema element. We create a file named Local.schema in/usr/local/etc/openldap/schema/local.schema, and then add this file to the slapd.conf file:
        # include schema
# include local schema
(Translator: The LDAP installation location in Ubuntu is slightly different and cannot be pasted exactly by this example.) )

4. Attribute type description Attribute type specification

AttributeType is used to define a new property type. For example, the directive uses the same Attribute Type Description (as defined in RFC2252) used by the Attributetypes Attribute Fou nd in the Subschema subentry.

The attribute type description attribute type description is defined as follows:

Attributetypedescription = "(" WHSP
Numericoid WHSP; AttributeType identifier
["NAME" Qdescrs]; Name used in AttributeType
["DESC" qdstring]; Description
["SUP" woid]; Derived from this and other
; AttributeType
["Equality" woid; Matching Rule Name
["Ordering" woid; Matching Rule Name
["SUBSTR" woid]; Matching Rule Name
["SYNTAX" WHSP Noidlen WHSP]; Syntax OID
["Single-value" WHSP]; Default multi-valued
["collective" WHSP]; Default Not Collective
["No-user-modification" WHSP]; Default User modifiable
["USAGE" WHSP AttributeUsage]; Default Userapplications
WHSP ")"

AttributeUsage =
"Distributedoperation"/; Dsa-shared
"Dsaoperation"; Dsa-specific, value depends on server
WHSP is the meaning of a space ("). Numericoid is the globally unique OID, which is a decimal form with a. e.g. 1.1.0, Qdescrs has one or more meanings, woid can make the name or the OID can be selected by a length suffix (e.g {10}).

In the following example, the attribute type (attribute types) name and CN are defined by Core.schema.

        AttributeType ( name ' name '
DESC ' name (s) associated with the object '
Equality Caseignorematch
SUBSTR Caseignoresubstringsmatch
AttributeType ( NAME (' cn ' CommonName ')
DESC ' common name (s) assciated with the object '
SUP name)

Note: Each of the properties defined by the OID is provided with a short name, and a brief introduction, each name is an alias of the OID. When SLAPD returns a record, the class table of the first name is returned.

The first property, name, holds values of directorystring (UTF-8 encoded Unicode) syntax. This structure is defined by the OID syntax. ( identifies the directorystring syntax).

A length recommendation of 32768 is specified. Servers should support values of this length, but could support longer values the field does not specify a size constraint, So are ignored on servers (such as SLAPD) which don ' t impose such size limits. In addition, the equality and substring matching uses case ignore rules. Below is tables listing commonly used syntax and matching rules (OpenLDAP supports these and many more).

Table 8.3:commonly used syntaxes
Name OID Description
Boolean Boolean value
Directorystring Unicode (UTF-8) string
distinguishedname LDAP DN
Integer Integer
Numericstring Numeric string
Oid Object identifier
OctetString Arbitary octets

Table 8.4:commonly used Matching Rules
Name Type Description
Booleanmatch Equality Boolean
Caseignorematch Equality Case insensitive, space insensitive
Caseignoreorderingmatch Ordering Case insensitive, space insensitive
Caseignoresubstringsmatch Substrings Case insensitive, space insensitive
Caseexactmatch Equality Case sensitive, space insensitive
Caseexactorderingmatch Ordering Case sensitive, space insensitive
Caseexactsubstringsmatch Substrings Case sensitive, space insensitive
Distinguishednamematch Equality Distinguished Name
Integermatch Equality Integer
Integerorderingmatch Ordering Integer
Numericstringmatch Equality Numerical
Numericstringorderingmatch Ordering Numerical
Numericstringsubstringsmatch Substrings Numerical
Octetstringmatch Equality Octet string
Octetstringorderingstringmatch Ordering Octet string
Octetstringsubstringsstringmatch Ordering Octet string
Objectidentifermatch Equality Object identifier

The second property, CN, is the subtype of name, which integrates syntax, matching rules, and name usage. CommonName is another name.

Neither attribute is restricted to a single value. Both is meant for usage by user applications. Neither is obsolete nor collective.

The following section defines two examples

(1) Myuniquename

Many organizations retain unique names for users, although users can use DisplayName, but this property (name) is still controlled by the user. Rather than organization. We can copy displayName from Inetorgperson.schema, replace Oid,name, and description (description).
AttributeType ( NAME ' Myuniquename '
DESC ' unique name with my organization '
Equality Caseignorematch
SUBSTR Caseignoresubstringsmatch
However, if we want the Name property to contain an assertion, this property can be defined as a child property of name.
AttributeType ( NAME ' Myuniquename '
DESC ' unique name with my organization '
SUP name)
(2) Myphoto

Many organizations keep an avatar for each user. The definition of the Myphoto property type can be used to save the user's avatar. Of course the user can choose the Jpegphoto attribute type (RFC2798) (or its subtype) to save the avatar. Of course you can only use when the picture matches the JPEG File Interchange format.
Of course, a property type that uses the octal syntax can be defined like this:
AttributeType ( NAME ' Myphoto '
DESC ' A photo (application defined format) '
In this case, the syntax does not have a top photo format (format), which assumes that the application that accesses the property can handle its value.

If you want to support multiple image formats, you need to define the attribute type for each format. Adds a prefix for the type information for the picture. Or use ASN.1 to describe the value, and using the; Binary transfer option.

You can enable the Picture property to hold the URI, you can create a property after labeledURI (RFC2079), or create a subtype.

AttributeType ( NAME ' Myphotouri '
DESC ' URI and optional label referring to a photo '
SUP labeledURI)

5. Object Class Description

Objectclasses is used to define a new object class,the directive uses the same object class Description (as defined in RFC2252) used by th E objectclasses attribute found in the Subschema subentry.
objectclass <rfc2252 Object Class description>
The Object Class description is defined by the following BNF:

Objectclassdescription = "(" WHSP
Numericoid WHSP ; ObjectClass identifier
["NAME" Qdescrs]
["DESC" qdstring]
["SUP" OIDs] ; Superior objectclasses
[("ABSTRACT"/"STRUCTURAL"/"auxiliary") WHSP]
; Default structural
["must" OIDs] ; Attributetypes
["may" OIDs] ; Attributetypes
WHSP ")"
(1) Myphotoobject

To define a auxiliary object class which allows Myphoto to BES added to any existing entry.

objectclass ( NAME ' Myphotoobject '
DESC ' Mixin Myphoto '
May Myphoto)

(2) MyPerson

If your organization wants to create a private-structured object class for each user, you can make a subclass for the person class that already exists. Like the InetOrgPerson class, and then add the properties you need.

objectclass ( NAME ' MyPerson '
DESC ' My person '
SUP InetOrgPerson
Must (Myuniquename $ givenName)
May Myphoto)
The object class integrates the InetOrgPerson required/allowed property type. But need (requires) Myuniquename, givenname and allows Myphoto.

6, OID macro

To facilitate the management of OIDs, SLAPD supports the definition of object identification code macros. Objectidentifier directly using the macro (name) and OID
。 This OID is probably derived from the previous OID macro. slapd.conf Syntax:

Objectidentifier <name> {<oid> | <name>[:<suffix>]}

The following example defines a set of OID macros, and the schema elements they use:

 objectidentifier myoid 1.1 
objectidentifier mysnmp myoid:1
objectidentifier myldap myoid:2
Objectidentifier myattributetype myldap:1
objectidentifier myobjectclass myldap:2
at Tributetype (myattributetype:3 NAME ' Myphotouri '
DESC ' URI and optional label referring to a photo '
SUP labeledURI)
objectclass (myobjectclass:1 NAME ' myphotoobject '
DESC ' m Ixin Myphoto '
May myphoto)

Welcome to My tech blog, http://railser.cn/, new articles will Posted there. Welcome to our friends.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.