Chapter 3 - Using LDAP Configuration Manager to Manage LDAP Schema
In this chapter, we shift our focus from configuring an LDAP for StreetTalk service to managing the LDAP for StreetTalk service's schema. We discuss adding, modifying, and deleting the LDAP entries that comprise the schema for the service.
For many uses, installing and configuring LDAP for StreetTalk as discussed in Chapter 2, provides the functions needed to use LDAP for StreetTalk. LDAP-enabled applications, such as Microsoft Outlook or Netscape Messenger, can use the default configuration and directory schema to provide address book operations. Many LDAP applications do not require changes to LDAP for StreetTalk, so you will not need to use LDAP Configuration Manager to manage the service as described in this chapter. If you are using an LDAP application that requires you to make changes or extensions to the default LDAP for StreetTalk schema, use the procedures in this chapter to make the necessary modifications.
This chapter describes how to use LDAP Configuration Manager to manage directory schema. You manage directory schema by adding and deleting:
Attribute type definitions Object classes Matching rules Matching rule uses Syntax
The directory schema is the collection of attribute type definitions, object class definitions, and other information. The LDAP for StreetTalk server uses this information to match a filter or attribute value provided by a client request against the attribute of an LDAP entry. Items in the LDAP directory information tree are created according to the object class definitions template specified by the LDAP schema.
Note
Managing LDAP schema may involve adding and modifying LDAP object class definitions. The details and syntax of LDAP schema are defined in RFC 2251 Lightweight Directory Access Protocol (v3) and in RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions.
For further discussion of LDAP, StreetTalk, and directories in general, refer to Appendix B, Directory Concepts, in this guide.
Object Identification Numbers
LDAP uses Object Identification Numbers (OIDs) to identify object classes, attributes, attribute syntax, and matching rules in the LDAP schema. To maintain compatibility with other LDAP directories, use OIDs provided by the Internet Assigned Numbers Authority (IANA) when you create new object classes. Contact IANA at www.iana.org or via electronic mail at iana@iana.org to receive a base OID for your organization. For example, IANA assigned to Banyan OID number 1.3.6.1.4.1.130. All StreetTalk schema objects in LDAP start with Banyan OID number 1.3.6.1.4.1.130.2, where the rightmost digit, 2, determines that the OID represents an LDAP schema object.
Using Online Help
Use the online help system for additional guidance while you are using LDAP Configuration Manager. Each button or field in LDAP Configuration manager has help associated with it. To get help for a button or field, place your cursor over the button or field and press F1, or right-click the button or field and select What's This from the context menu. For general help on using LDAP Configuration Manager, select Help from the menu bar, then select Help Topics.
Overview of LDAP Entries
Entries in an LDAP database consist of attributes, and each attribute has a type (structural, abstract, or auxiliary) and one or more values. Associated with each attribute type is an attribute syntax that determines the format of the information recorded in the attribute as well as how the attribute's values respond during LDAP operations. While the attribute syntax governs the value in an attribute, LDAP matching rules set the pattern for matching search values against an attribute value by assigning the kind of match that is used by the attribute. For example, the attribute mail uses matching rule caseIgnoreIA5SubstringsMatch, meaning:
Character case is ignored during comparisons (caseIgnore) Values of the mail attribute must be character strings (IA5String) Matches can be made to portions of the attribute value string (substring matching)
Matching rule caseIgnoreIA5SubstringsMatch applies to attributes with syntax IA5String.
LDAP Configuration Manager and Managing Schema
LDAP Configuration Manager is a management tool you use to modify LDAP schema. This section describes how to use the LDAP Configuration Manager to manage LDAP schema. You can create a shortcut for the LDAP Configuration Manager on your desktop.
Note
This chapter assumes you are familiar with the StreetTalk directory, StreetTalk attributes, and STDA. For more information about StreetTalk and managing StreetTalk attributes, refer to Managing Users and StreetTalk.
After you select an LDAP for StreetTalk server to manage, you see the following eight tabs displayed:
Service Control Access Control Attributes Object Classes Matching Rules Matching Rule Use Syntax Referrals Directory Synchronization
Each tab contains a dialog that you use to manage one aspect of the LDAP for StreetTalk database. LDAP Configuration Manager provides dialogs for adding, viewing, and deleting the following entries in LDAP for StreetTalk databases:
Attribute type definitions Object classes Matching rules Note
Adding matching rules is not supported in LDAP for StreetTalk version 3.5. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.
Matching rule uses Syntax Note
Adding syntax is not supported in LDAP for StreetTalk version 3.5. A future release of the LDAP for StreetTalk software will include the capability to add syntax.
The following sections provide procedures for managing the entries and attributes presented in the preceding list.
Managing Attribute Type Definitions
LDAP entries comprise attributes that contain the information about the entry. Each attribute has one or more values and a type. Each type has an attribute syntax that defines the information stored in the attribute, and how the stored information behaves during LDAP operations.
Configuring LDAP Attributes
Entries are the building blocks for information in the LDAP directory. Entries are often created to hold information about objects and concepts, such as people, companies, or printers. Each LDAP entry comprises attributes that contain information about the object or entry. Every attribute has a type and one or more values. LDAP for StreetTalk lets you add and modify attributes defined by your schema.
Note
Banyan recommends that you use the directory schema defined by LDAP for StreetTalk unless you plan to run an application that extends the schema.
Figure 3-1 shows the Attributes dialog in LDAP Configuration Manager. Use the Attributes dialog to manage attribute type definitions in the LDAP directory schema. The Attributes dialog includes the following buttons:
New - Adds a new attribute type definition.
Edit - Modifies current attribute type definitions.
Delete - Removes an attribute type definition.
Refresh - Updates the Attributes Defined list to show the latest additions or changes.
To Add a New Attribute
After you create the attribute, follow the steps in "To Add Attributes to an Object Class" to add it to an object class.
1. Click the Attributes tab.
2. Click New.
3. Click More Options. The New Attribute dialog appears with all the attribute options displayed, as shown in Figure 3-2.
Clicking More Options lets you configure attribute settings that are not required for the LDAP Service, but can improve search performance.
4. In the Attribute OID field, enter an OID for the new attribute.
5. In the Attribute Name option, enter a name for the new attribute.
6. Under Maps to StreetTalk attribute, select the StreetTalk attribute type from the list and enter the corresponding vendor number and attribute number for the StreetTalk attribute.
7. Under Matching Rules, select the desired matching rules for using the attribute-equality, ordering, and substring-from the lists.
Equality - When you select an equality matching rule, LDAP for StreetTalk uses the rule to determine when a search value matches the attribute. For example, if you select integerMatch, the integer value of the user's specified search entry must be identical to the integer value of the attribute for the entry to be returned by the search.
Ordering - When you select an ordering rule, LDAP for StreetTalk applies the rule to operations that use ordering, such as less than (<), or greater than (>), to identify the target attribute and determine if the attribute value meets the search filter criterion.
Substring - When you select a matching rule to apply to substring matches for the attribute, LDAP for StreetTalk allows clients to search for entries in the LDAP directory by supplying only part of the value of the desired attribute. For example, substring match rules can let clients search for all occurrences of the attribute "cn=John Adams" by searching for "cn=Joh*" or "cn=*Adams".
8. (Optional) To add an alias for the new attribute, click Add Alias Name to open the Add New Aliases dialog. Enter the new alias name and click Add to add the alias. Click OK to return to the New Attribute dialog.
9. Under Options, select one or more check boxes to choose the attribute type and use options.
Single Value - The attribute can contain only one value. Selected by default.
Collective - Not supported by LDAP for StreetTalk. The collective option is included to comply with the LDAP version 3 protocol.
No User Modification - Locks the attribute so users cannot modify the attribute type definition. Administrators retain the ability to modify the attribute.
Present Indexing - Builds a database that indexes the new attribute. Indexing the attribute improves the performance of searches that filter on the presence of the attribute, such as cn=*, but uses disk space on the server.
Matching Rule Indexing - Builds a database that indexes the new attribute. Indexing the attribute improves the performance of searches that perform equality, ordering, or substring matching of the attribute, but uses disk space on the server.
10. (Optional) From the Attribute Syntax list, select an attribute syntax to be used with the new attribute.
11. (Optional) From the Usage list, select the appropriate usage for the attribute.
Three of the available usages-directoryOperation, distributedOperation, and dSAOperation-are assigned to attributes that are used internally by the directory for operational use and are not returned in searches. UserApplications attributes are exposed to the users. Select the attribute usage accordingly.
12. (Optional) Select a superior attribute from the list. Attributes inherit characteristics such as matching rules from their superior attribute
13. (Optional) Enter a text description of the new attribute in the Attribute Description option.
14. Click OK to add the new attribute to the LDAP schema.
To use the new attribute, add the attribute to an object class.
To Add Attributes to an Object Class
1. Click the Object Classes tab.
2. Under Object Classes Defined, select the object class to modify, and click Edit.
3. Do one of the following:
To add required attributes, select the attributes from the Known Attributes list, and click the <= button to add the attributes to the required attributes list.
To add allowed attributes, select the attributes from the Known Attributes list, and click the <= button to add the attributes to the allowed attributes list.
To remove attributes, select the attributes from the Required Attributes or Allowed Attributes lists, and click the => button.
4. Click OK to close the Edit Object Class dialog.
To Delete an Attribute
1. Click the Attributes tab.
2. On the Attributes Defined list, select the attribute to delete.
3. Click Delete.
To View the Details of an Attribute
1. Click the Attributes tab.
2. Click the + sign next to the attribute to show the details of the attribute.
3. Click the - sign to hide the details.
Object classes tell you what information can and must be stored in an LDAP entry. For example, an LDAP entry of object class employee requires the surname (sn), common name (cn), and objectClass attributes, and allows many other attributes.
Each entry in an LDAP database contains an object class that determines the kind of entry it is. The object class that determines the entry type is called the structural object class and cannot be changed. Other object classes that may be part of the entry are called auxiliary and may be changed and added or deleted from the entry if access rights allow. When you define a new object class, you choose whether the new object class is a structural, auxiliary, or abstract object class, where abstract indicates that your new object class is compatible with X.500 directory services.
Configuring Object Classes
The Object Classes dialog, Figure 3-3, lets you configure the LDAP for StreetTalk schema. LDAP schema define LDAP object class definitions. Each object class definition declares the name of a particular kind of object class, and the list of required and allowed attributes for the object class.
The Object Classes Defined list displays the contents of the current set of object class definitions. Click the + sign next to an object class to view the required and allowed attributes, as shown for object class person in Figure 3-3.
The Object Classes dialog includes the following buttons:
New - Adds a new object class definition.
Edit - Adds existing schema attributes to required or allowed attributes of an object class or modifies an existing required or allowed attribute. Also lets you change other defined features of an object class.
Delete - Removes an object class definition.
Refresh - Updates the Object Classes Defined list to show the latest additions or changes.
Note
Banyan recommends you use the directory schema defined by LDAP for StreetTalk unless you plan to run an application that extends the schema.
To Add an Object Class
1. Click the Object Classes tab.
2. Click New. The New Object Class dialog appears as shown in Figure 3-4.
3. Under Object Class Name, enter a name for the object class.
4. Under Object Class identifier (OID), enter an OID for the new object class.
5. In the StreetTalk Object Class list, select the corresponding StreetTalk class.
6. Select a Kind of Object Class by selecting an option under Kind of Object Class.
Structural - The object class inherits the required and allowed attributes of its superior object class, in addition to the required and allowed attributes that you assign. You cannot delete a structural object class from an LDAP entry (compare to Auxiliary below).
Abstract - The new object class is compatible with X.500 directory services.
Auxiliary - The new object class is not affected by the directory hierarchy, and does not affect the hierarchy. You can delete an auxiliary object class from an LDAP entry.
7. Use the arrow buttons to add attributes for the new object class.
8. (Optional) Use the arrow buttons to add a superior object class from the Superior Object Classes list.
9. (Optional) Enter a text description of the new object class under Object Class description.
10. (Optional) Clear the Obsolete check box to mark the new object class as current.
Existing object classes may be designated as obsolete when their use is discouraged by the LDAP governing body. In general, avoid using obsolete object classes, and do not designate object classes that you create as obsolete.
11. Click OK to add the new object class to the LDAP schema.
The new object class appears in the Object Class defined list, in expanded view to show the details of the new object class.
LDAP Configuration Manager writes added object classes and attributes to the object class configuration file.
To Delete an Object Class
1. Click the Object Classes tab.
2. From the Object Classes Defined list, select the object class to delete.
3. Click Delete.
To View the Details of an Object Class
1. Click the Object Classes tab.
2. Click the + sign next to the object class to show the details of the object class.
3. Click the - sign to hide the details.
LDAP services use matching rules to compare attribute values against client search values when processing search and compare requests. Matching rules are also used to identify the value to be added or deleted when you modify LDAP entries. Ranging in complexity from a simple integerMatch to BanyanApproxMatch, you can use matching rules to find exact matches to a search value or to return attribute values that are like the search value. Every attribute has an assigned matching rule to determine when the attribute's value matches a search query.
Configuring Matching Rules
LDAP servers use matching rules to compare attribute values in entries in the LDAP directory against the client search request values when performing search and compare operations. Matching rules are also used to identify the value to be added or deleted when modifying LDAP entries, and are used when comparing an assumed distinguished name with the name of an LDAP entry.
Most attributes in the LDAP directory tree have an equality matching rule. These attributes may have other matching rules defined as well. For example:
Attribute homePhone uses matching rule 2.5.13.20 (telephoneNumberMatch) for equality matches during compare and search operations Attribute homePostalAddress uses matching rule 2.5.13.11 (caseIgnoreListMatch) for matches
Matching rule caseIgnoreMatch has been expanded in Figure 3-5 to show the details of the matching rule, including its LDAP-defined Object Identification number (OID), attribute syntax, and status of the rule.
The Matching Rules dialog includes the following buttons:
New - Adds a new matching rule. After adding a matching rule, you should use the Matching Rules Use dialog to configure attributes to use the new matching rule.
Note
Adding matching rules is not supported in LDAP for StreetTalk version 3.5. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.
Edit - Modifies a matching rule.
Delete - Removes a matching rule.
Refresh - Updates the Matching rules defined list to show the latest additions or changes.
To Add a Matching Rule
Note
Adding matching rules is not supported in LDAP for StreetTalk version 3.5. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.1. Click the Matching Rules tab.
2. Click New. The New Matching Rule dialog appears (Figure 3-6).
3. Enter the OID for the new matching rule.
4. Enter a name for the new matching rule.
5. From the Syntax list, select a syntax to use with the new matching rule.
6. (Optional) Enter a text description for the matching rule in the Description field.
7. (Optional) Select the Obsolete check box to define the new rule as obsolete.
Generally, new matching rules are not designated as obsolete. Only matching rules whose use is discouraged by the LDAP governing body should be declared obsolete.
To apply the new matching rule to attributes, switch to the Matching Rule Use dialog and add a new matching rule use for the matching rule. Refer to "To Add a Matching Rule Use" later in this chapter for the procedure for adding a matching rule use,
To Delete a Matching Rule
1. Click the Matching Rules tab.
2. On the Matching Rules Defined list, select the rule to delete.
3. Click Delete.
To View the Details of a Matching Rule
1. Click the Matching Rules tab.
2. Click the + sign next to the matching rule to show the details of the rule.
3. Click the - sign to hide the details.
To associate an attribute to a matching rule, LDAP uses a matching rule use object. A matching rule use determines which attributes use a given matching rule. For example, for matching rule caseIgnoreListMatch (OID 2.5.13.11), the matching rule use caseIgnoreListMatch (OID 2.5.13.11) declares that caseIgnoreListMatch applies to attributes homepostaladdress and postaladdress. If clients perform searches for values of attribute postaladdress, LDAP uses matching rule caseIgnoreListMatch to determine if an attribute value in an entry matches the client search value for the attribute.
Configuring Matching Rule Uses
Matching rule uses define which matching rules are used with which attributes. In Figure 3-7, the matching rule use for integerMatch (OID 2.5.13.14) applies to attributes streettalkclass, stdaclass, and streettalkcategory. Other examples of matching rule uses include:
telephoneNumberMatch (OID 2.5.13.20) applies to attributes homephone, mobile, mobiletelephonenumber, pager, pagertelephonenumber, personalmobile, personalpager, and telephonenumber octetStringMatch (OID 2.5.13.17) applies to userpassword
The Matching Rules Use dialog includes the following buttons:
New - Adds a new matching rule use.
Edit - Adds existing attributes to a matching rule use. Also lets you change the other defined features of a matching rule use.
Delete - Removes a matching rule use.
Refresh - Updates the Matching Rules Use Defined list to show the latest additions or changes.
1. Click the Matching Rule Use tab.
2. Click New. The New Matching Rule Use dialog appears (Figure 3-8).
3. Enter the OID for the new matching rule use in the Matching Rule Use OID field.
4. Enter a name for the new matching rule use in the Name field.
5. From the Known Applies list, select 1 or more attributes to use the new matching rule use and click the <= arrow to add the selected attributes to the Applies list.
6. (Optional) Enter a text description for the matching rule use in the Description field.
7. (Optional) Select the Obsolete check box to define the new rule as obsolete.
Generally, new matching rule uses are not designated as obsolete. Only matching rule uses whose use is discouraged by the LDAP governing body should be declared obsolete.
To Delete a Matching Rule Use
1. Click the Matching Rule Use tab.
2. On the Matching Rules Use Defined list, select the use to delete.
3. Click Delete.
To View the Details of a Matching Rule Use
1. Click the Matching Rules Use tab.
2. Click the + sign next to the matching rule use to show the details of the rule use.
3. Click the - sign to hide the details.
An attribute's associated syntax determines the format of the information recorded in the attribute. Syntax also determines how the attribute's values respond during LDAP operations. LDAP uses matching rules to determine how a syntax responds to search and other LDAP operations. Refer to "Managing Matching Rules" earlier in this chapter for more information about matching rules.
Configuring Syntax
Attribute Syntax define the kind of information that can be stored in an attribute's values and how those values behave during searches and other LDAP directory operations. For example, the common name (cn=) attribute has the syntax caseIgnoreString, meaning that letter case is ignored during comparisons, and that attribute values must be character strings. Using the syntax caseIgnoreString, the common names Mary Dawes, mary dawes, and Mary dawes are the same and all three would be found during a search for cn=mary dawes.
The View Tree by Description check box changes the list views so that attribute syntax entries appear alphabetically by their optional text descriptions rather than numerically by their OIDs. Entries that do not have text descriptions are listed in numerical order by OID at the top of the list. After selecting or clearing the View Tree by Description check box, click Refresh to change the list view.
The Syntax dialog presented in Figure 3-9 includes the following buttons:
New - Adds a new attribute syntax for use by attributes.
Note
Adding syntax is not supported in LDAP for StreetTalk version 3.5. A future release of the LDAP for StreetTalk software will include the capability to add syntax.
Edit - Changes the attribute syntax description or human readable setting.
Delete - Removes an attribute syntax.
Refresh - Updates the Syntax Defined list to show the latest additions or changes.
To Add a Syntax
1. Click the Syntax tab.
2. Click New. The New Syntax dialog appears (Figure 3-10).
3. Enter the OID for the new Syntax in the Syntax OID field.
4. (Optional) Enter a text description for the syntax in the Description field.
5. Select the Human Readable check box to indicate that the syntax is used by attributes containing values that are human readable, such as text strings.
LDAP syntax Audio, Binary, and JPEG are not human-readable (that is, attributes that use these syntax contain information that is not meant to be viewed in its binary, or raw, state). Most other syntax are readable, such as Postal Address and Telephone Number.
6. Click OK to close the dialog.
After adding a new syntax you can add a matching rule to use the new syntax, as well as adding attributes to use the new syntax, or adding the syntax to existing attributes and matching rules.
To Delete a Syntax
1. Click the Syntax tab.
2. On the Syntax Defined list, select the syntax to delete.
3. Click Delete.
To View the Details of a Syntax
1. Click the Syntax tab.
2. Click the + sign next to the syntax to show the details of the syntax.
3. Click the - sign to hide the details.