YoLinux LDAP Tutorial: OpenLDAP Directory Objects and Attributes

Add new LDAP object and attribute definitions to your OpenLDAP (2.0) directory

Extending the OpenLDAP (2.0) Data Schemas requires:

1. Creating an LDAP Object Definition
2. Creating an LDAP Attribute Definition
3. Adding Object and Attribute definitions to the slapd configuration

Related YoLinux Tutorials:

°LDAP server configuration

°LDAP client authentication

°LDAP bind authentication

°Extending LDAP an schema

°LDAP schema for MS/Outlook

°AWebDap: LDAP web interface

°YoLinux Tutorials Index

This tutorial refers to OpenLDAP 2.0 on Red Hat Linux 7.1.

The predefined LDAP data types are found in /etc/openldap/schema/

LDAP data definitions require objects and attributes:

1. Object definitions are collections of LDAP attributes.
2. Attributes are LDAP data types.

LDAP object description is defined in RFC2252.

ObjectClassDescription = "(" whsp
    numericoid whsp             ; ObjectClass identifier
    [ "NAME" qdescrs ]
    [ "DESC" qdstring ]
    [ "OBSOLETE" whsp ]
    [ "SUP" oids ]              ; Superior ObjectClasses
    [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
                                ; default structural
    [ "MUST" oids ]             ; AttributeTypes
    [ "MAY" oids ]              ; AttributeTypes
whsp ")"

• whsp is a space (' ')
• numericoid is a globally unique OID in numeric form (e.g. 1.2.3)
• qdescrs is one or more names
• oids is one or more names and/or OIDs.

File: /etc/openldap/schema/new-object.schema

objectClass ( 1.3.6.1.4.1.4203.666.1.100 NAME 'YoLinuxPerson' DESC 'X-Person' SUP inetOrgPerson STRUCTURAL MAY ( personStatus $ preferredEmail $ mail2 $ businessName $ xmozillanickname $ birthdate $ c ) )

Discussion:

The object definition shown inherits the data object as defined by inetOrgPerson and extends the definition with six attributes.

The definition for "c" (country) is defined in /etc/openldap/schema/core.schema.

Notes:

• If you remove an attribute from the object definition, restart LDAP and then try to update the object, an update failure will occur: "Object Violation". This occured to an attribute which held some data in the deleted attribute.
• In general I would recommend that you properly create the object you want and then don't change it.

LDAP attribute description is also defined in RFC2252.

AttributeTypeDescription = "(" whsp
      numericoid whsp              ; AttributeType identifier
    [ "NAME" qdescrs ]             ; name used in AttributeType
    [ "DESC" qdstring ]            ; description
    [ "OBSOLETE" whsp ]
    [ "SUP" woid ]                 ; derived from this other
                                   ; AttributeType
    [ "EQUALITY" woid              ; Matching Rule name
    [ "ORDERING" woid              ; Matching Rule name
    [ "SUBSTR" woid ]              ; Matching Rule name
    [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
    [ "SINGLE-VALUE" whsp ]        ; default multi-valued
    [ "COLLECTIVE" whsp ]          ; default not collective
    [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
    [ "USAGE" whsp AttributeUsage ]; default userApplications
    whsp ")"

File: /etc/openldap/schema/new-attributes.schema

# New attribute definitions: attributetype ( 1.3.6.1.4.1.4203.666.1.90 NAME 'personStatus' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.91 NAME 'preferredEmail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.92 NAME 'mail2' DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) attributetype ( 1.3.6.1.4.1.4203.666.1.93 NAME 'businessName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.94 NAME 'xmozillanickname' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.95 NAME 'birthdate' SUP name )

More Attribute Definition Details:

• Inheritance of an existing attribute type:

   
      attributetype ( 2.5.4.31 NAME 'member' SUP distinguishedName )
      

  This example is taken from the core.schema schema file and shows that the newly defined attribute "member" will be of the same defined data type as "distinguishedName".
  See:
  • List of attributes - (Big list)

• Assign two attribute names to the same data field:

      attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) SUP name )
      

  This example from the core.schema schema file shows that the attribute name "l" and "localityName" refer to the same attribute.

• Defining the data type explicitly:

      attributetype ( 2.5.4.15 NAME 'businessCategory'
              EQUALITY caseIgnoreMatch
              SUBSTR caseIgnoreSubstringsMatch
              SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
      

  This example from the core.schema schema file shows that the attribute definition for "businessCategory" allows for search comparisons for records which are equal (EQUALITY) or contains a given substring (SUBSTR). In this case an equality comparison performs a caee insensitive comparison. The substring match is also case insensitive.
  See:
  • Table 6.4 for a full list of matching rules.

  The data type has also been defined to be of type "Directory String" which is encoded in the UTF-8 form of ISO 10646 (a superset of Unicode) of a maximum length of 128 characters. ( {128} ). The OID 1.3.6.1.4.1.1466.115.121.1.15 represents this data type.
  See list of sytax names and OID's:

  • LDAP schema: Sytaxes - (Left hand column. They also have examples.)
  • Table 6.3 for a list of syntaxes (data types).

File: /etc/openldap/slapd.conf

. .. ... include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/new-attributes.schema include /etc/openldap/schema/new-object.schema ... .. .

dn: cn=Schemp Anderson,o=family cn: Schemp Anderson objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: YoLinuxPerson mail: SAnderson@isp.com givenname: Schemp sn: Anderson ou: MemberGroupB street: 16 Cherry St. l: Dallas st: TX postalcode: 76888 c: US pager: 800-555-1319 homePhone: 800-555-1313 mobile: 800-555-1318 birthdate: 10/2/23 mail2: SAnderson@isp.com preferredEmail: 1 businessName: ABC Inc. xmozillanickname: The boring new guy

Note that the LDIF file contains data attributes associated with the "inetOrgPerson" object and "YoLinux" object extentions. This is commonly referred to as object inheritance.

Links:

• YoLinux GILSE schema extentions and example - Support for MS/Outlook and Netscape Communicator address books.
• OpenLDAP.org: Schema Specification - Chapter 8 Open LDAP 2.0 manual.
• OpenLDAP OID description
• LDAP V1.2 schema used for migration from Netscape Directory Server 3.1 to OpenLDAP 1.2.11 - Historical document
• POSIX: LDAP authentication - Objext definition for POSIX accounts

Books:

	"Understanding And Deploying LDAP Directory Services", by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good, ISBN 0672323168, Addison-Wesley Pub Co Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities.
	"Understanding And Deploying LDAP Directory Services", by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good, ISBN 1-57870-070-1, MacMillan Technical Publishing First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric.
	"Programming Directory-Enabled Applications with Lightweight Directory Access Protocol" by Timothy A. Howes,Phd and Mark C. Smith ISBN 1-57870-000-0, MacMillan Technical Publishing Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code.
	"Implementing LDAP", Mark Wilcok ISBN 1-861002-21-1, WROK Press This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias.
	"LDAP System Administration", Gerald Carter ISBN 1565924916, O'Reilly & Associates This book covers the use of OpenLDAP and the integration of services.
	"LDAP Programming, Management and Integration", Clayton Donley ISBN 1930110405, Manning Publications; 1st edition This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI.
	"Understanding LDAP" - IBM-Redbooks Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman IBM Redbook #SG24-4986-00 A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything.
	"LDAP Implementation Cookbook" IBM Redbook #SG24-5110-00

Copyright © 2001, 2002 by Greg Ippolito