mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
453 lines
17 KiB
Plaintext
453 lines
17 KiB
Plaintext
# $OpenLDAP$
|
|
# Copyright 1999-2000, The OpenLDAP Foundation, All Rights Reserved.
|
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
|
|
|
H1: Schema Specification
|
|
|
|
This chapter describes how to extend the schema used by {{slapd}}(8).
|
|
The first section, {{SECT:Distributed Schema Files}} details optional
|
|
schema definitions provided in the distribution and where to obtain
|
|
other definitions.
|
|
The second section, {{SECT:Extending Schema}}, details how to define
|
|
new schema items.
|
|
!if 0
|
|
The third section, {{SECT:Transferring Schema}} details how you can
|
|
export schema definitions from an LDAPv3 server and transform it
|
|
to {{slapd.conf}}(5) format.
|
|
!endif
|
|
|
|
H2: Distributed Schema Files
|
|
|
|
OpenLDAP is distributed with a set of schema specifications for
|
|
your use. Each set is defined in a file suitable for inclusion
|
|
(using the {{EX:include}} directive) in your {{slapd.conf}}(5)
|
|
file. These schema files are normally installed in the
|
|
{{F:/usr/local/etc/openldap/schema}} directory.
|
|
|
|
!block table; colaligns="LR"; coltags="F,N"; align=Center; \
|
|
title="Table 6.1: Provided Schema Specifications"
|
|
File Description
|
|
core.schema OpenLDAP {{core}} (required)
|
|
cosine.schema Cosine and Internet X.500 (useful)
|
|
inetorgperson.schema InetOrgPerson (useful)
|
|
misc.schema Assorted (experimental)
|
|
nadf.schema North American Directory Forum (FYI)
|
|
nis.schema Network Information Services (FYI)
|
|
openldap.schema OpenLDAP Project (experimental)
|
|
!endblock
|
|
|
|
To use any of these schema files, you only need to include the
|
|
the desired file in the global definitions portion of your
|
|
{{slapd.conf}}(5) file. For example:
|
|
|
|
> # include schema
|
|
> include /usr/local/etc/openldap/schema/core.schema
|
|
> include /usr/local/etc/openldap/schema/cosine.schema
|
|
> include /usr/local/etc/openldap/schema/inetorgperson.schema
|
|
|
|
Additional files may be available. Please consult the OpenLDAP
|
|
FAQ ({{URL:http://www.openldap.org/faq/}}).
|
|
|
|
Note: You should not modify any of the schema items defined
|
|
in provided files.
|
|
|
|
H2: Extending Schema
|
|
|
|
Schema used by {{slapd}}(8) may be extended to support additional
|
|
syntaxes, matching rules, attribute types, and object classes.
|
|
This chapter details how to add attribute types and object classes
|
|
using the syntaxes and matching rules already supported by slapd.
|
|
slapd can also be extended to support additional syntaxes
|
|
and matching rules, but this requires some programming and hence
|
|
is not discussed here.
|
|
|
|
There are five steps to defining new schema:
|
|
^ obtain Object Identifer
|
|
+ choose a name prefix
|
|
+ create local schema file
|
|
+ define custom attribute types (if necessary)
|
|
+ define custom object classes
|
|
|
|
H3: Object Identifiers
|
|
|
|
Each schema element is identified by a globally unique
|
|
{{TERM[expand]OID}} (OID). OIDs are also used to identify
|
|
other objects.
|
|
They are commonly found in protocols described by {{TERM:ASN.1}}. In
|
|
particular, they are heavily used by the {{TERM[expand]SNMP}} (SNMP).
|
|
As OIDs are hierarchical, your organization
|
|
can obtain one OID and branch it as needed. For example,
|
|
if your organization were assigned OID {{EX:1.1}}, you could branch
|
|
the tree as follows:
|
|
|
|
!block table; colaligns="LR"; coltags="EX,N"; align=Center; \
|
|
title="Table 6.2: Example OID hierarchy"
|
|
OID Assignment
|
|
1.1 Organization's OID
|
|
1.1.1 SNMP Elements
|
|
1.1.2 LDAP Elements
|
|
1.1.2.1 AttributeTypes
|
|
1.1.2.1.1 myAttribute
|
|
1.1.2.2 ObjectClasses
|
|
1.1.2.2.1 myObjectClass
|
|
!endblock
|
|
|
|
You are, of course, free to design a hierarchy suitable to your
|
|
organizational needs under your organization's OID. No matter
|
|
what hierarchy you choose, you should maintain a registry of
|
|
assignments you make. This can be a simple flat file or a
|
|
something more sophisticated such as the {{OpenLDAP OID Registry}}
|
|
({{URL:http://www.openldap.org/faq/index.cgi?file=197}}).
|
|
|
|
For more information about Object Identifers (and a listing
|
|
service) see {{URL:http://www.alvestrand.no/harald/objectid/}}.
|
|
|
|
.{{Under no circumstances should you use a fictious OID!}}
|
|
|
|
To obtain a fully registered OID at {{no cost}}, apply for
|
|
an OID under {{ORG[expand]IANA}} (IANA) maintained
|
|
{{Private Enterprise}} arch. Any private enterprise (organization)
|
|
may request an OID to be assigned under this arch. Just fill
|
|
out the {{ORG:IANA}} form at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}}
|
|
and your official OID will be sent to you usually within a few days.
|
|
Your base OID will be something like {{EX:1.3.6.1.4.1.X}} were {{EX:X}}
|
|
is an integer.
|
|
|
|
Note: Don't let the "MIB/SNMP" statement on the IANA page confuse you.
|
|
OIDs obtained using this form may be used for any purpose including
|
|
identifying LDAP schema elements.
|
|
|
|
|
|
H3: Name Prefix
|
|
|
|
In addition to assigning a unique object identifier to each schema
|
|
element, you should provide a least one textual name for each
|
|
element. The name should be both descriptive and not likely
|
|
to clash with names of other schema elements. In particular,
|
|
any name you choose should not clash with present or future
|
|
Standard Track names.
|
|
|
|
To reduce (but not eliminate) the potential for name clashes,
|
|
the convention is to prefix names of non-Standard Track with
|
|
a few letters to localize the changes to your organization.
|
|
The smaller the organization, the longer your prefix should
|
|
be.
|
|
|
|
In the examples below, we have choosen a short prefix '{{EX:my}}'
|
|
(to save space). Such a short prefix would only be suitable for
|
|
a very large, global organization. For a small, local organization,
|
|
we recommend something like '{{EX:deFirm}}' (German company) or
|
|
'{{EX:comExample}}' (elements associated with organization associated
|
|
with {{EX:example.com}}).
|
|
|
|
|
|
H3: Local schema file
|
|
|
|
The {{EX:objectclass}} and {{EX:attributeTypes}} configuration file
|
|
directives can be used to define schema rules on entries in the
|
|
directory. It is customary to create a file to contain definitions
|
|
of your custom schema items. We recommend you create a file
|
|
{{F:local.schema}} in {{F:/usr/local/etc/openldap/schema/local.schema}}
|
|
and then include this file in your {{slapd.conf}}(5) file immediately
|
|
after other schema {{EX:include}} directives.
|
|
|
|
> # include schema
|
|
> include /usr/local/etc/openldap/schema/core.schema
|
|
> include /usr/local/etc/openldap/schema/cosine.schema
|
|
> include /usr/local/etc/openldap/schema/inetorgperson.schema
|
|
> # include local schema
|
|
> include /usr/local/etc/openldap/schema/local.schema
|
|
|
|
|
|
H3: Attribute Type Specification
|
|
|
|
The {{attributetype}} directive is used to define a new attribute
|
|
type. The directive uses the same Attribute Type Description
|
|
(as defined in {{REF:RFC2252}}) used by the attributeTypes
|
|
attribute found in the subschema subentry, e.g.:
|
|
|
|
E: attributetype <{{REF:RFC2252}} Attribute Type Description>
|
|
|
|
where Attribute Type Description is defined by the following
|
|
{{TERM:BNF}}:
|
|
|
|
> AttributeTypeDescription = "(" whsp
|
|
> numericoid whsp ; AttributeType identifier
|
|
> [ "NAME" qdescrs ] ; name used in AttributeType
|
|
> [ "DESC" qdstring ] ; description
|
|
> [ "OBSOLETE" whsp ]
|
|
> [ "SUP" woid ] ; derived from this other
|
|
> ; AttributeType
|
|
> [ "EQUALITY" woid ; Matching Rule name
|
|
> [ "ORDERING" woid ; Matching Rule name
|
|
> [ "SUBSTR" woid ] ; Matching Rule name
|
|
> [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
|
|
> [ "SINGLE-VALUE" whsp ] ; default multi-valued
|
|
> [ "COLLECTIVE" whsp ] ; default not collective
|
|
> [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
|
|
> [ "USAGE" whsp AttributeUsage ]; default userApplications
|
|
> whsp ")"
|
|
>
|
|
> AttributeUsage =
|
|
> "userApplications" /
|
|
> "directoryOperation" /
|
|
> "distributedOperation" / ; DSA-shared
|
|
> "dSAOperation" ; DSA-specific, value depends on server
|
|
>
|
|
|
|
where whsp is a space ('{{EX: }}'), numericoid is a globally unique
|
|
OID in dotted-decimal form (e.g. {{EX:1.2.3}}), qdescrs is one or more
|
|
names, woid is either the name or OID, and noidlen is an optional length
|
|
specifier (e.g {{EX:{10}}}).
|
|
|
|
For example, the attribute types {{EX:name}} and {{EX:cn}} are defined
|
|
in {{F:core.schema}} as:
|
|
|
|
> attributeType ( 2.5.4.41 NAME 'name'
|
|
> EQUALITY caseIgnoreMatch
|
|
> SUBSTR caseIgnoreSubstringsMatch
|
|
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
|
|
> attributeType ( 2.5.4.3 NAME
|
|
> ( 'cn' $ 'commonName' ) SUP name )
|
|
|
|
Notice that each defines the attribute's OID and descriptive
|
|
names. Each name is an alias for the OID. {{slapd}}(8) returns
|
|
the first listed name when returning results.
|
|
|
|
The first attribute, {{EX:name}}, has a syntax of {{EX:directoryString}}
|
|
(a UTF-8 encoded Unicode string) with a recommend maximun length.
|
|
Note that syntaxes are specified by OID. In addition, the equality
|
|
and substring matching uses case ignore rules. Below are tables
|
|
listing commonly used supported syntax and matching rules.
|
|
|
|
!block table; align=Center; coltags="EX,EX,N"; \
|
|
title="Table 6.3: Supported Syntaxes"
|
|
Name OID Description
|
|
binary 1.3.6.1.4.1.1466.115.121.1.5 BER/DER data
|
|
boolean 1.3.6.1.4.1.1466.115.121.1.7 boolean value
|
|
distinguishedName 1.3.6.1.4.1.1466.115.121.1.12 DN
|
|
directoryString 1.3.6.1.4.1.1466.115.121.1.15 UTF-8 string
|
|
IA5String 1.3.6.1.4.1.1466.115.121.1.26 ASCII string
|
|
Integer 1.3.6.1.4.1.1466.115.121.1.27 integer
|
|
Name and Optional UID 1.3.6.1.4.1.1466.115.121.1.34 DN plus UID
|
|
Numeric String 1.3.6.1.4.1.1466.115.121.1.36 numeric string
|
|
OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
|
|
Octet String 1.3.6.1.4.1.1466.115.121.1.40 arbitary octets
|
|
Printable String 1.3.6.1.4.1.1466.115.121.1.44 printable string
|
|
!endblock
|
|
|
|
>
|
|
|
|
!block table; align=Center; coltags="EX,N"; \
|
|
title="Table 6.4: Supported Matching Rules"
|
|
Name Type Description
|
|
booleanMatch equality boolean
|
|
objectIdentiferMatch equality OID
|
|
distinguishedNameMatch equality DN
|
|
uniqueMemberMatch equality DN with optional UID
|
|
numericStringMatch equality numerical
|
|
numericStringOrderingMatch ordering numerical
|
|
numericStringSubstringsMatch substrings numerical
|
|
caseIgnoreMatch equality case insensitive, space insensitive
|
|
caseIgnoreOrderingMatch ordering case insensitive, space insensitive
|
|
caseIgnoreSubstringsMatch substrings case insensitive, space insensitive
|
|
caseExactMatch equality case sensitive, space insensitive
|
|
caseExactOrderingMatch ordering case sensitive, space insensitive
|
|
caseExactSubstringsMatch substrings case sensitive, space insensitive
|
|
caseIgnoreIA5Match equality case insensitive, space insensitive
|
|
caseIgnoreIA5OrderingMatch ordering case insensitive, space insensitive
|
|
caseIgnoreIA5SubstringsMatch substrings case insensitive, space insensitive
|
|
caseExactIA5Match equality case sensitive, space insensitive
|
|
caseExactIA5OrderingMatch ordering case sensitive, space insensitive
|
|
caseExactIA5SubstringsMatch substrings case sensitive, space insensitive
|
|
!endblock
|
|
|
|
The second attribute, {{EX:cn}}, is a subtype of {{EX:name}} hence
|
|
it inherits the syntax, matching rules, and usage of {{EX:name}}.
|
|
{{EX:commonName}} is an alternative name.
|
|
|
|
Neither attribute is restricted to a single value and both are
|
|
meant for usage by user applications. You likely won't need to
|
|
specify other parameters such as {{EX:OBSOLETE}}.
|
|
|
|
The following subsections provide a couple of examples.
|
|
|
|
|
|
H4: myUniqueName
|
|
|
|
Many organizations maintain a single unique name for each user.
|
|
Though one could use {{EX:displayName}} ({{REF:RFC2798}}), this
|
|
attribute is really meant to be controlled by the user, not the
|
|
organization. We could just copy the definition of {{EX:displayName}}
|
|
from {{F:inetorgperson.schema}} and replace the OID, name, and
|
|
description, e.g:
|
|
|
|
> attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
|
|
> DESC 'unique name with my organization'
|
|
> EQUALITY caseIgnoreMatch
|
|
> SUBSTR caseIgnoreSubstringsMatch
|
|
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
> SINGLE-VALUE )
|
|
|
|
However, if we want this name to be included in
|
|
{{EX:name}} assertions [e.g. {{EX:(name=*Jane*)}}], the attribute
|
|
could alternatively be defined as a subtype of {{EX:name}}, e.g.:
|
|
|
|
> attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
|
|
> DESC 'unique name with my organization'
|
|
> SUP name )
|
|
|
|
|
|
H4: myPhoto
|
|
|
|
Many organizations maintain a photo of each each user. A
|
|
{{EX:myPhoto}} attribute type could be defined to hold a photo.
|
|
Of course, one could use just use {{EX:jpegPhoto}} ({{REF:RFC2798}})
|
|
(or a subtype) to hold the photo. However, you can only do
|
|
this if the photo is in {{JPEG File Interchange Format}}.
|
|
Alternatively, an attribute type which uses the {{Octet String}}
|
|
syntax can be defined, e.g.:
|
|
|
|
> attributetype ( 1.1.2.1.2 NAME 'myPhoto'
|
|
> DESC 'a photo (application defined format)'
|
|
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|
> SINGLE-VALUE )
|
|
|
|
As noted in the description, LDAP has no knowledge of the
|
|
format of the photo. It's assumed that all applications
|
|
accessing this attribute agree on the handling of values.
|
|
|
|
If you wanted to support multiple photo formats, you could define
|
|
a separate attribute type for each format, prefix the photo
|
|
with some typing information, or describe the value using
|
|
{{TERM:ASN.1}} and use the {{EX:;binary}} transfer option.
|
|
|
|
Another alternative is for the attribute to hold a {{TERM:URI}}
|
|
pointing to the photo. You can model such an attribute after
|
|
{{EX:labeledURI}} ({{REF:RFC2079}}).
|
|
|
|
|
|
H3: Object Class Specification
|
|
|
|
The {{objectclasses}} directive is used to define a new object
|
|
class. The directive uses the same Object Class Description
|
|
(as defined in {{REF:RFC2252}}) used by the objectClasses
|
|
attribute found in the subschema subentry, e.g.:
|
|
|
|
E: objectclass <{{REF:RFC2252}} Object Class Description>
|
|
|
|
where Object Class Description is defined by the following
|
|
{{TERM:BNF}}:
|
|
|
|
> ObjectClassDescription = "(" whsp
|
|
> numericoid whsp ; ObjectClass identifier
|
|
> [ "NAME" qdescrs ]
|
|
> [ "DESC" qdstring ]
|
|
> [ "OBSOLETE" whsp ]
|
|
> [ "SUP" oids ] ; Superior ObjectClasses
|
|
> [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
|
|
> ; default structural
|
|
> [ "MUST" oids ] ; AttributeTypes
|
|
> [ "MAY" oids ] ; AttributeTypes
|
|
> whsp ")"
|
|
|
|
where whsp is a space ('{{EX: }}'), numericoid is a globally unique
|
|
OID in numeric form (e.g. {{EX:1.2.3}}), qdescrs is one or more
|
|
names, and oids is one or more names and/or OIDs.
|
|
|
|
|
|
H4: myPhotoObject
|
|
|
|
To define an {{auxiliary}} object class which allows
|
|
myPhoto to be added to any existing entry.
|
|
|
|
> objectclass ( 1.1.2.2.1 NAME 'myPhotoObject'
|
|
> DESC 'mixin myPhoto'
|
|
> AUXILIARY
|
|
> MAY myPhoto )
|
|
|
|
|
|
H4: myPerson
|
|
|
|
If your organization would like have a private {{structural}}
|
|
object class to instantiate users, you can subclass one of
|
|
the existing person classes, such as {{EX:inetOrgPerson}}
|
|
({{REF:RFC2798}}), and add any additional attributes which
|
|
you desire.
|
|
|
|
> objectclass ( 1.1.2.2.2 NAME 'myPerson'
|
|
> DESC 'my person'
|
|
> SUP inetOrgPerson
|
|
> MUST ( 'myUniqueName' $ 'givenName' )
|
|
> MAY 'myPhoto' )
|
|
|
|
The object class inherits the required/allowed attribute
|
|
types of {{EX:inetOrgPerson}} but requires {{EX:myUniqueName}}
|
|
and {{EX:givenName}} and allows {{EX:myPhoto}}.
|
|
|
|
!if 0
|
|
H2: Transferring Schema
|
|
|
|
Since the {{slapd.conf}}(5) schema directives use {{REF:RFC2252}}
|
|
format values, you can extract schema elements published by
|
|
any LDAPv3 server and easily construct directives for use with
|
|
{{slapd}}(8).
|
|
|
|
LDAPv3 servers publish schema elements in special {{subschema}}
|
|
entries (or subentries). {{slapd}}(8) publishes a single subschema
|
|
entry normally named {{EX:cn=Subschema}}. In a server which
|
|
supports a single subschema subentry, the DN of the subschema
|
|
subenty can usually be found by examining the value of the
|
|
{{EX:subschemaSubentry}} attribute type in the {{root DSE}}.
|
|
Other servers may publish multiple subschema entries. These
|
|
can be located by examining the {{EX:subschemaSubentry}} attribute
|
|
contained in the entry at the root of each administrative context.
|
|
|
|
To obtain the schema from a subschema subentry, you can use
|
|
ldapsearch(1) as follows (replace the search base as needed):
|
|
|
|
> ldapsearch -LLL -x -b "cn=Subschema" -s base "(objectclass=subschema)" attributeTypes objectClasses
|
|
|
|
This will return {{TERM:LDIF}} output containing many type/value
|
|
pairs. The following is an abbreviated example:
|
|
|
|
> dn: cn=Subschema
|
|
> attributeTypes: ( 1.1.2.1.1 NAME 'myUniqueName' DESC 'unique name wi
|
|
> th my organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubst
|
|
> ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
|
|
> attributeTypes: ( 1.1.2.1.2 NAME 'myPhoto' DESC 'a photo (applicatio
|
|
> n defined format)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|
> objectClasses: ( 1.1.2.2.2 NAME 'myPerson' DESC 'my person' SUP inet
|
|
> OrgPerson MUST ( 'myUniqueName' $ 'givenName' ) MAY 'myPhoto' )
|
|
|
|
Capture the output of the search in a file and then edit the file:
|
|
|
|
+ to contain only desired type/value pairs
|
|
^ join LDIF continuation lines
|
|
^ replace attribute type with directive name
|
|
(e.g. {{EX:s/attributeTypes:/attributeType/}} and
|
|
{{EX:s/objectClasses:/objectClass/}}).
|
|
^ continue long directives over multiple lines
|
|
|
|
For the three type/value pairs in our example, the edit should
|
|
result in a file with contains of:
|
|
|
|
> attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
|
|
> DESC 'unique name with my organization'
|
|
> EQUALITY caseIgnoreMatch
|
|
> SUBSTR caseIgnoreSubstringsMatch
|
|
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|
> SINGLE-VALUE )
|
|
> attributeType ( 1.1.2.1.2 NAME 'myPhoto'
|
|
> DESC 'a photo (application defined format)'
|
|
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|
> objectClass ( 1.1.2.2.2 NAME 'myPerson'
|
|
> DESC 'my person'
|
|
> SUP inetOrgPerson
|
|
> MUST ( 'myUniqueName' $ 'givenName' )
|
|
> MAY 'myPhoto' )
|
|
|
|
Save in an appropriately named file (e.g. {{F:my.schema}}).
|
|
You may now include this file in your {{slapd.conf}}(8) file.
|
|
!endif
|