YoLinux LDAP Tutorial: OpenLDAP Directory Objects and Attributes

Add new LDAP object and attribute definitions to your OpenLDAP (2.0) directory


OpenLDAP comes with some basic predefined data types which can be used to hold information. If these data "schemas" do not suit your needs then you will be required to extend their definitions to hold the information you require. You will be required to define a new data object and data attributes held by the object. (The object is a holder or container of attributes.)

Extending the OpenLDAP (2.0) Data Schemas requires:

  1. Creating an LDAP Object Definition
  2. Creating an LDAP Attribute Definition
  3. Adding Object and Attribute definitions to the slapd configuration

Related YoLinux Tutorials:

°LDAP server configuration

°LDAP client authentication

°LDAP bind authentication

°Extending LDAP an schema

°LDAP schema for MS/Outlook

°AWebDap: LDAP web interface

°YoLinux Tutorials Index




Free Information Technology Magazines and Document Downloads
TradePub link image


Introduction:

This tutorial refers to OpenLDAP 2.0 on Red Hat Linux 7.1.

The predefined LDAP data types are found in /etc/openldap/schema/

LDAP data definitions require objects and attributes:

  1. Object definitions are collections of LDAP attributes.
  2. Attributes are LDAP data types.
In all cases the objects and attributes are identified by an OID number which uniquely identifies the object and attribute. This tutorial will use the OID's reserved by OpenLDAP.org for "experimantal use". (1.3.6.1.4.1.4203.666.XXX where XXX is any integer number) One should register with the IANA and get their own assignment of OID's for their organization.


1) Object Definition:

LDAP object description is defined in RFC2252.

ObjectClassDescription = "(" whsp
numericoid whsp ; ObjectClass identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
[ "SUP" oids ] ; Superior ObjectClasses
[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
; default structural
[ "MUST" oids ] ; AttributeTypes
[ "MAY" oids ] ; AttributeTypes
whsp ")"
  • whsp is a space (' ')
  • numericoid is a globally unique OID in numeric form (e.g. 1.2.3)
  • qdescrs is one or more names
  • oids is one or more names and/or OIDs.

File: /etc/openldap/schema/new-object.schema

objectClass     ( 1.3.6.1.4.1.4203.666.1.100
    NAME 'YoLinuxPerson'
        DESC 'X-Person'
    SUP inetOrgPerson
    STRUCTURAL
        MAY  ( personStatus $ preferredEmail $ mail2 $
               businessName $ xmozillanickname $
               birthdate $ c )
        )

                

Discussion:

The object definition shown inherits the data object as defined by inetOrgPerson and extends the definition with six attributes.

The definition for "c" (country) is defined in /etc/openldap/schema/core.schema.

Notes:

  • If you remove an attribute from the object definition, restart LDAP and then try to update the object, an update failure will occur: "Object Violation". This occured to an attribute which held some data in the deleted attribute.
  • In general I would recommend that you properly create the object you want and then don't change it.


2) Attribute Definition:

LDAP attribute description is also defined in RFC2252.

AttributeTypeDescription = "(" whsp
numericoid whsp ; AttributeType identifier
[ "NAME" qdescrs ] ; name used in AttributeType
[ "DESC" qdstring ] ; description
[ "OBSOLETE" whsp ]
[ "SUP" woid ] ; derived from this other
; AttributeType
[ "EQUALITY" woid ; Matching Rule name
[ "ORDERING" woid ; Matching Rule name
[ "SUBSTR" woid ] ; Matching Rule name
[ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
[ "SINGLE-VALUE" whsp ] ; default multi-valued
[ "COLLECTIVE" whsp ] ; default not collective
[ "NO-USER-MODIFICATION" whsp ]; default user modifiable
[ "USAGE" whsp AttributeUsage ]; default userApplications
whsp ")"

File: /etc/openldap/schema/new-attributes.schema

# New attribute definitions:

attributetype ( 1.3.6.1.4.1.4203.666.1.90
NAME 'personStatus'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.91
NAME 'preferredEmail'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.92
NAME 'mail2'
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.4203.666.1.93
NAME 'businessName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.94
NAME 'xmozillanickname'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.95 NAME 'birthdate' SUP name )

More Attribute Definition Details:

  • Inheritance of an existing attribute type:
     
    attributetype ( 2.5.4.31 NAME 'member' SUP distinguishedName )
    This example is taken from the core.schema schema file and shows that the newly defined attribute "member" will be of the same defined data type as "distinguishedName".
    See:

  • Assign two attribute names to the same data field:
        attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) SUP name )
    This example from the core.schema schema file shows that the attribute name "l" and "localityName" refer to the same attribute.

  • Defining the data type explicitly:
        attributetype ( 2.5.4.15 NAME 'businessCategory'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
    This example from the core.schema schema file shows that the attribute definition for "businessCategory" allows for search comparisons for records which are equal (EQUALITY) or contains a given substring (SUBSTR). In this case an equality comparison performs a caee insensitive comparison. The substring match is also case insensitive.
    See:

    The data type has also been defined to be of type "Directory String" which is encoded in the UTF-8 form of ISO 10646 (a superset of Unicode) of a maximum length of 128 characters. ( {128} ). The OID 1.3.6.1.4.1.1466.115.121.1.15 represents this data type.
    See list of sytax names and OID's:


3) Adding Object and Attributes to SLAPD configuration:

File: /etc/openldap/slapd.conf

.
..
...
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/new-attributes.schema
include /etc/openldap/schema/new-object.schema
...
..
.
Note: The order is important. The attributes must be read before they can be included in the object definition.


LDIF:

dn: cn=Schemp Anderson,o=family
cn: Schemp Anderson
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: YoLinuxPerson
mail: SAnderson@isp.com
givenname: Schemp
sn: Anderson
ou: MemberGroupB
street: 16 Cherry St.
l: Dallas
st: TX
postalcode: 76888
c: US
pager: 800-555-1319
homePhone: 800-555-1313
mobile: 800-555-1318
birthdate: 10/2/23
mail2: SAnderson@isp.com
preferredEmail: 1
businessName: ABC Inc.
xmozillanickname: The boring new guy

Note that the LDIF file contains data attributes associated with the "inetOrgPerson" object and "YoLinux" object extentions. This is commonly referred to as object inheritance.


Links:


LDAP Book ListBooks:

Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 0672323168, Addison-Wesley Pub Co

Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities.

Amazon.com
Understanding And Deploying LDAP Directory Services "Understanding And Deploying LDAP Directory Services",
by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good,
ISBN 1-57870-070-1, MacMillan Technical Publishing

First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric.

Amazon.com
Programming Directory-Enabled Applications with Lightweight Directory Access Protocol "Programming Directory-Enabled Applications with Lightweight Directory Access Protocol"
by Timothy A. Howes,Phd and Mark C. Smith
ISBN 1-57870-000-0, MacMillan Technical Publishing

Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code.

Amazon.com
Implementing LDAP "Implementing LDAP",
Mark Wilcok
ISBN 1-861002-21-1, WROK Press

This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias.

Amazon.com
LDAP System Administration "LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates

This book covers the use of OpenLDAP and the integration of services.

Amazon.com
LDAP Programming, Management and Integration "LDAP Programming, Management and Integration",
Clayton Donley
ISBN 1930110405, Manning Publications; 1st edition

This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI.

Amazon.com
"Understanding LDAP - Design and Implementation" - IBM-Redbooks
Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman
IBM Redbook #SG24-4986-00

A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything.

IBM Redbook #SG24-6193-00 "LDAP Implementation and Practical Use"
IBM Redbook #SG24-6193-00

   

    Bookmark and Share


Advertisements





 


Return to YoLinux LDAP Tutorial
Copyright © 2001, 2002 by Greg Ippolito