YoLinux LDAP Tutorial: OpenLDAP Directory Objects and Attributes

Introduction:

This tutorial refers to OpenLDAP 2.0 on Red Hat Linux 7.1.

The predefined LDAP data types are found in /etc/openldap/schema/

LDAP data definitions require objects and attributes:

  1. Object definitions are collections of LDAP attributes.
  2. Attributes are LDAP data types.

In all cases the objects and attributes are identified by an OID number which uniquely identifies the object and attribute. This tutorial will use the OID’s reserved by OpenLDAP.org for “experimantal use”. (1.3.6.1.4.1.4203.666.XXX where XXX is any integer number) One should register with the IANA and get their own assignment of OID’s for their organization.


1) Object Definition:

LDAP object description is defined in RFC2252.

ObjectClassDescription = "(" whsp
    numericoid whsp             ; ObjectClass identifier
    [ "NAME" qdescrs ]
    [ "DESC" qdstring ]
    [ "OBSOLETE" whsp ]
    [ "SUP" oids ]              ; Superior ObjectClasses
    [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
                                ; default structural
    [ "MUST" oids ]             ; AttributeTypes
    [ "MAY" oids ]              ; AttributeTypes
whsp ")"
  • whsp is a space (‘ ‘)
  • numericoid is a globally unique OID in numeric form (e.g. 1.2.3)
  • qdescrs is one or more names
  • oids is one or more names and/or OIDs.

File: /etc/openldap/schema/new-object.schema

objectClass     ( 1.3.6.1.4.1.4203.666.1.100
    NAME 'YoLinuxPerson'
        DESC 'X-Person'
    SUP inetOrgPerson
    STRUCTURAL
        MAY  ( personStatus $ preferredEmail $ mail2 $
               businessName $ xmozillanickname $
               birthdate $ c )
        )

Discussion:

The object definition shown inherits the data object as defined by inetOrgPerson and extends the definition with six attributes.The definition for “c” (country) is defined in /etc/openldap/schema/core.schema.

Notes:

  • If you remove an attribute from the object definition, restart LDAP and then try to update the object, an update failure will occur: “Object Violation”. This occured to an attribute which held some data in the deleted attribute.
  • In general I would recommend that you properly create the object you want and then don’t change it.

 


2) Attribute Definition:

LDAP attribute description is also defined in RFC2252.

 

AttributeTypeDescription = "(" whsp
      numericoid whsp              ; AttributeType identifier
    [ "NAME" qdescrs ]             ; name used in AttributeType
    [ "DESC" qdstring ]            ; description
    [ "OBSOLETE" whsp ]
    [ "SUP" woid ]                 ; derived from this other
                                   ; AttributeType
    [ "EQUALITY" woid              ; Matching Rule name
    [ "ORDERING" woid              ; Matching Rule name
    [ "SUBSTR" woid ]              ; Matching Rule name
    [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
    [ "SINGLE-VALUE" whsp ]        ; default multi-valued
    [ "COLLECTIVE" whsp ]          ; default not collective
    [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
    [ "USAGE" whsp AttributeUsage ]; default userApplications
    whsp ")"

 

File: /etc/openldap/schema/new-attributes.schema

# New attribute definitions:

attributetype ( 1.3.6.1.4.1.4203.666.1.90
        NAME 'personStatus'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.91
        NAME 'preferredEmail'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.92
        NAME 'mail2'
        DESC 'RFC1274: RFC822 Mailbox'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.4203.666.1.93
        NAME 'businessName'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.94
        NAME 'xmozillanickname'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.95 NAME 'birthdate' SUP name )

 

More Attribute Definition Details:

  • Inheritance of an existing attribute type:
        attributetype ( 2.5.4.31 NAME 'member' SUP distinguishedName )

    This example is taken from the core.schema schema file and shows that the newly defined attribute “member” will be of the same defined data type as “distinguishedName”.
    See:

     

  • Assign two attribute names to the same data field:
        attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) SUP name )

    This example from the core.schema schema file shows that the attribute name “l” and “localityName” refer to the same attribute.

  • Defining the data type explicitly:
        attributetype ( 2.5.4.15 NAME 'businessCategory'
                EQUALITY caseIgnoreMatch
                SUBSTR caseIgnoreSubstringsMatch
                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

    This example from the core.schema schema file shows that the attribute definition for “businessCategory” allows for search comparisons for records which are equal (EQUALITY) or contains a given substring (SUBSTR). In this case an equality comparison performs a caee insensitive comparison. The substring match is also case insensitive.
    See:

    The data type has also been defined to be of type “Directory String” which is encoded in the UTF-8 form of ISO 10646 (a superset of Unicode) of a maximum length of 128 characters. ( {128} ). The OID 1.3.6.1.4.1.1466.115.121.1.15represents this data type.
    See list of sytax names and OID’s:

 


3) Adding Object and Attributes to SLAPD configuration:

File: /etc/openldap/slapd.conf

.
..
...
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/new-attributes.schema
include         /etc/openldap/schema/new-object.schema
...
..
.

Note: The order is important. The attributes must be read before they can be included in the object definition.

 


LDIF:

 

dn: cn=Schemp Anderson,o=family
cn: Schemp Anderson
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: YoLinuxPerson
mail: SAnderson@isp.com
givenname: Schemp
sn: Anderson
ou: MemberGroupB
street: 16 Cherry St.
l: Dallas
st: TX
postalcode: 76888
c: US
pager: 800-555-1319
homePhone: 800-555-1313
mobile: 800-555-1318
birthdate: 10/2/23
mail2: SAnderson@isp.com
preferredEmail: 1
businessName: ABC Inc.
xmozillanickname: The boring new guy

Note that the LDIF file contains data attributes associated with the “inetOrgPerson” object and “YoLinux” object extentions. This is commonly referred to as object inheritance.

 


Links: