LDAP basic noun explanation (3)

Source: Internet
Author: User
Tags ldap ldap filter ldap search filter openldap

noun explanation objectclass

LDAP object class, which is an LDAP built-in data model. Each objectclass has its own data structure, such as we have a "phone book" objectclass, will certainly have a lot of properties (attributes), such as name (UID), ID number (uidnumber), Unit name (GID), home address ( HomeDirectory), at the same time, there is a "yearbook" objectclass, with "phone book" in some attributes (such as UID, homedirectory), but also have "phone book" Not attributes ( such as description, etc.).


Entry can be called an entry, a entry is a record, a basic storage unit in LDAP, or it can be seen as a set of DN and a set of attributes. Note that a entry can contain multiple objectclass, such as zhang3 can exist in the phone book, or it can exist in yearbook.


Distinguished Name,ldap Entry's unique distinguished name, a complete DN notation: uid=zhang3,ou=people,dc=163,dc=com. Only the DN in LDAP is guaranteed to be unique by the LDAP server entry.

LDAP Search Filter

Use filter to search for LDAP. Filter is generally composed of units (Attribute=value) such as: (& (Uid=zhangsan) (Objectclass=person)) represents the search user, the UID is Zhangsan LDAP Entry. Another example: (& (| ( Uid= Zhangsan) (Uid=lisi)) (Objectclass=person)), which indicates that a user who searches for a UID is Zhangsan or LISI, or can use * to represent any value, such as (Uid=zhang*san), Search for the UID value entry at the end of the San beginning with the Zhang. Further, depending on the LDAP attribute matching rules, you can have the following filter: (& (createtimestamp>=20050301000000) (createtimestamp<= 20050302000000)), represents the entry of the search creation time between 20050301000000 and 20050302000000.

Filter "&" means "with"; "!" denotes "non"; "|" Represents "or". Depending on the matching rules, we can use "=", "~=", ">=" and "<=", and more about LDAP filter readers can refer to LDAP-related protocols.

Base DN

A base DN can be either "dc=163,dc=com" or "dc=people,dc=163,dc=com". When performing LDAP search, it is generally necessary to specify BaseDN, since LDAP is a tree-like data structure, after specifying BaseDN, the search will start from BaseDN, we can specify search scope as: only BaseDN (base), BaseDN Direct subordinate (one level), and BaseDN all subordinate (sub tree level).

ObjectClass Introduction

In LDAP, an entry must contain a objectclass attribute, and at least one value needs to be assigned. Each value is used as a template for the data storage of an LDAP entry; The template contains the attributes and optional properties that an entry must be assigned to. ObjectClass has a strict hierarchy, top and alias. For example, Organizationalperson this objectclass is subordinate to person, and person is subordinate to top.

ObjectClass can be divided into the following 3 categories:
Structural type (Structural): such as person and organizationunit;
Auxiliary type (auxiliary): such as Extensibeobject;
Abstract: Like top, abstract type objectclass cannot be used directly.
Many objectclass are defined in the schema of OpenLDAP, and the names of some commonly used objectclass are listed below.

The object class (ObjectClass) is a collection of attributes, and LDAP envisions objects that are common in many people's organizations and encapsulates them into object classes. For example, the personnel (person) contains the surname (SN), the name (CN), the telephone (telephonenumber), the password (userpassword) and other attributes, the unit employee (ORGANIZATIONALPERSON) is the personnel (person) inherits the class, In addition to the above attributes, there are attributes such as title, postal code (POSTALCODE), mailing address (postaladdress), and so on.

An object class makes it easy to define an entry type. Each entry can inherit multiple object classes directly, thus inheriting various properties. If you have the same attribute in 2 object classes, only 1 properties are retained after the entry is inherited. The object class also specifies that those attributes are basic information and must contain (must live required, necessary attributes): Which attributes are extended information and can contain (may or optional, optional attributes).

There are three types of object classes: struct type (Structural), abstract type (abstraction), and auxiliary type (auxiliary). A struct type is the most basic type, which specifies the basic properties of the corpse of an object, each of which belongs to and belongs to only one structured object class. An abstract type can be a struct type or other abstract type parent, and the Principality organizes parts of the object's properties together, called Templates for other classes, and entries cannot directly integrate abstract object classes. The secondary type specifies the extended properties of the object entity. Although each bar belongs to only one structured object class, it can belong to more than one auxiliary object class at the same time.

Object classes themselves can inherit from each other, so the root class of the object class is the top abstract object class. Take the common types of people as an example, their inheritance relationship

Accout built-in attributes: UserID, description, host, Localityname, OrganizationName, Organizationalunitname, seealso;

InetOrgPerson built-in attributes have CN, SN, description, seealso, telephonenumber, UserPassword, Destinationindicator, Facsimiletelephonenumber, Internationalisdnnumber, L, OU, physicalDeliveryOfficeName, postOfficeBox, PostalAddress, PostalCode, Preferreddeliverymethod, Registeredaddress, St, street, Telephonenumber, Teletexterminalidentifier, Telexnumber, title, x121address, audio, usinesscategory, Carlicense, Departmentnumber, Isplayname, EmployeeNumber, Employeetype, GivenName, HomePhone, homepostaladdress, Initials, Jpegphoto, labeledURI, mail, manager, Mobile, O, Pager, Photo, Preferredlanguage, Roomnumber, Secretary, UID, usercertificate, etc.;

From the above, accout only pre-set a few necessary and useful properties (the completion of login verification is certainly enough), and InetOrgPerson built up a lot of attributes, such as phone number, mobile phone number, street address, mailbox number, email address, room number, Avatar, manager, employee number and so on.

Therefore, when configuring LDAP, it is recommended to set the objectclass type to accout if it is only for authentication purposes, and if you want to build a chatty repository of employee information, we recommend that you set objectclass to InetOrgPerson

What I use here is ' InetOrgPerson ', ' posixaccount ', ' shadowaccount '.

The necessary attribute of account is userid, and the necessary attribute of Posixaccount is cn, Gidnumber, HomeDirectory, uid, uidnumber;the necessary attribute of Shadowaccount is UID, The optional attributes are Shadowexpire, shadowinactive, Shadowmax, Shadowmin, UserPassword, etc., andthe top required attribute is objectclass (visible, Top and other objectclass are inherited relationships).


Properties (Attribute) are similar to variables in program design and can be assigned values. Many common attribute are declared in OpenLDAP (users can also define their own attribute). The common attribute meanings are as follows:
C: Country.
Cn:common name refers to the name of an object. If you refer to a person, you need to use their full name.
Dc:domain Component, commonly used to refer to a part of a domain name.
GivenName: Refers to a person's name, can not be used to refer to a surname.
L: Refers to a name of a place, such as a city or other geographical area.
Mail: e-mail address.
O:organizationname refers to the name of an organization.
Ou:organizationalunitname refers to the name of an organizational unit.
Sn:surname refers to the surname of a person.
Telephonenumber: Phone number, should be with the code of the country in which it resides.

Tip: objectclass is a special kind of attribute that contains other attribute and its own.

For different objectclass, you usually have some required property values and some optional attribute values. For example, you can use the person objectclass to represent an entry for a user in the system, which is usually required for users in the system: Name, phone number, password, description, and so on. As shown in, for person, the user's first and last names are set through CN and SN, which must be set, while other properties are optional.

Listed below are some of the required properties for common objectclass requirements.
Organizationalperson: Same as person.
POSIXACCOUNT:CN, Gidnumber, HomeDirectory, UID, Uidnumber.

Reference blog:



LDAP basic noun explanation (3)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.