Chapter 3 - Using LDAP Configuration Manager to Manage LDAP Schema
The directory schema is the collection of attribute type definitions, object class definitions, and other information the LDAP server uses to match a filter or attribute value provided by a client request against the attribute of an LDAP envy. (From RFC 2252, Overview.) Items in the LDAP directory information tree are created according to the objectClass definitions template specified by the LDAP schema. This chapter describes how to use LDAP Configuration Manager to manage directory schema by adding and deleting:
Attribute type definitions Object classes Matching rules Note: Adding matching rules is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.
Matching rule uses Syntax Note: Adding syntax is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add syntax.
Note: Managing LDAP schema may involve adding and modifying LDAP objectClass definitions. The details and syntax of LDAP schema are defined in RFC 2251 Lightweight Directory Access Protocol (v3) and in RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions.
LDAP uses Object Identification Numbers (OIDs) to identify uniquely object classes, attributes, attribute syntax, and matching rules in the LDAP schema. To maintain compatibility with other LDAP directories, use OIDs provided by the Internet Assigned Numbers Authority (IANA) when you create new object classes. Contact IANA at www.iana.org to receive a base OID for your organization. For example, IANA assigned to Banyan OID number 1.3.6.1.4.1.130. All StreetTalk schema objects in LDAP start with Banyan OID number 1.3.6.1.4.1.130.2, where the rightmost digit, 2, determines that the OID represents an LDAP schema object.
Entries in an LDAP database consist of attributes, and each attribute has a type (structural, abstract, or auxiliary) and one or more values. (StreetTalk Support for LDAP version 1.0 did not support attributes with more than one value. LDAP for StreetTalk version 3.0 does.) Associated with each attribute type is an attribute syntax that determines the format of the information recorded in the attribute as well as how the attribute's values respond during LDAP operations. While the attribute syntax governs the value in an attribute, LDAP matching rules set the pattern for matching search values against an attribute value by assigning the kind of match that is used by the attribute. For example, the attribute mail uses matching rule caseIgnoreIA5SubstringsMatch, meaning that letter case is ignored during comparisons; that matches can be made to portions of the attribute value string (substring matching); and that values of the mail attribute must be character strings. Matching rule caseIgnoreIA5SubstringsMatch applies to attributes with syntax IA5String.
LDAP Configuration Manager is a management tool you use to modify LDAP schema. This section describes how to use the LDAP Configuration Manager to manage LDAP schema. You can create a shortcut for the LDAP Configuration Manager on your desktop.
LDAP Configuration Manager provides dialog boxes for adding. viewing, and deleting the following entries in LDAP for StreetTalk databases:
Attribute type definitions Object classes Matching rules Note: Adding matching rules is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.
Matching rule uses Syntax Note: Adding syntax is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add syntax.
The following sections provide procedures for completing the management operations presented in the preceding list. Use the online help for further guidance when you are using LDAP Configuration Manager.
LDAP entries comprise attributes that contain the information about the entry. Each attribute has one or more values and a type. This type has an attribute syntax that defines the information stored in the attribute and how the stored values behave during searches and other LDAP operations.
Entries are the building blocks for information in the LDAP directory. Entries are often created to hold information about objects and concepts, such as people, companies, or printers. Each LDAP entry comprises attributes that contain information about the object or entry. Every attribute has a type and one or more values. LDAP for StreetTalk lets you add and modify attributes defined by your schema.
Note: Banyan recommends that you use the directory schema defined by LDAP for StreetTalk unless you plan to run an application that extends the schema.
Figure 3-1 shows the Attributes dialog box in LDAP Configuration Manager. Use the Attributes dialog box to manage attribute type definitions in the LDAP directory schema. The Attributes dialog box includes the following buttons:
New - Adds a new attribute type definition.
Edit - Modifies existing attribute type definitions.
Delete - Removes an attribute type definition.
Refresh - Updates the Attributes Defined list to show the latest additions or changes
To Add a New Attribute
After you create the attribute, follow the steps in "To Add Attributes to an Object Class" to add it to an object class.
1. Click the Attributes tab.
2. Click New. The New Attribute dialog box appears as shown in Figure 3-2.
3. In the Attribute OID field, enter an OID for the new attribute.
4. In the Attribute Name option, enter a name for the object class.
5. (Optional) To add an alias for the new attribute, click Add Alias Name to open the Add New Aliases dialog box. Enter the new alias name and click Add to add the alias. Click OK to return to the New Attribute dialog box.
6. In the Options area, select a check box to designate the attribute type.
Single Value - The attribute can contain only one value.
Collective - Not supported by LDAP for StreetTalk. The collective option is included to comply with the LDAP version 3 protocol.
No User Modification - Locks the attribute so users cannot modify the attribute type definition. Administrators retain the ability to modify the attribute.
7. From the Attribute Syntax list, select an attribute syntax to be used with the new attribute.
8. From the Usage list, select the appropriate usage for the attribute.
Of the available usages, three-directoryOperation, distributedOperation, and dSAOperation-are assigned to attributes that are used internally by the directory for operational use and are not returned in searches. UserApplications attributes are exposed to the users. Select the attribute usage accordingly.
9. (Optional) Select a superior attribute from the list. Attributes inherit characteristics such as matching rules from their superior attribute
10. In the Matching Rules area, select the desired matching rules for using the attribute-equality, ordering, and substring-from the lists.
11. In the Maps to StreetTalk attribute option, select the StreetTalk attribute type from the list and enter the corresponding vendor number, and attribute number for the attribute.
12. Select the Present Indexing check box to build a database that indexes the new attribute. Indexing the attribute improves the performance of searches that filter on the presence of the attribute, such as cn=*, but uses disk space on the server.
13. Select the Matching Rule Indexing check box to build a database that indexes the new attribute. Indexing the attribute improves the performance of searches that perform equality, ordering, or substring matching of the attribute, but uses disk space on the server.
14. (Optional) Enter a text description of the new attribute in the Attribute Description option.
15. Click OK to add the new attribute to the LDAP schema.
To use the new attribute, add the attribute to an object class.
To Add Attributes to an Object Class
1. Click the Objectclasses tab.
2. In the Objectclasses Defined list, select the object class you want to modify, and click Edit.
3. Do one of the following:
- To add required or allowed attributes, select the attributes from the Known Attributes list, and click the <= button to add the attributes to the required or allowed attributes lists.
- To remove attributes, select the attributes from the Required Attributes or Allowed Attributes lists, and click the => button.
4. Click OK to close the Edit Object Class dialog box.
To Delete an Attribute
1. Click the Attributes tab.
2. On the Attributes Defined list, select the attribute to delete.
3. Click Delete.
To View the Details of an Attribute
1. Click the Attributes tab.
2. Click the + sign next to the attribute to show the details of the attribute.
3. Click the - sign to collapse the display and hide the details.
Object classes tell you what information can be stored in an LDAP entry of type objectclass. For example, the object class employee requires the surname (sn), common name (cn), and objectclass attributes, and allows many other attributes.
Each entry in an LDAP database contains an object class that determines the kind of entry it is. The object class that determines the entry type is called the structural object class and cannot be changed. Other object classes are called auxiliary and may be changed and added or deleted from the entry if access rights allow. When you define a new object class, you choose whether the new object class is a structural, auxiliary, or abstract type.
The Objectclasses dialog box, Figure 3-3, lets you configure LDAP schema. LDAP schema define LDAP objectClass definitions. Each objectClass definition declares the name of a particular kind of objectClass and the list of the required and allowed attributes for the objectClass.
The Objectclasses Defined list displays the contents of the current set of object class definitions. You can click the + sign next to an object class and expand that object class to view the required and allowed attributes as shown for the objectClass, person, in Figure 3-3.
The Objectclasses dialog box includes the following buttons:
New - Adds a new objectClass definition.
Edit - Adds existing schema attributes to required or allowed attributes of an object class or modifies an existing required or allowed attribute. Also allows you to change the other defined features of an object class.
Delete - Removes an objectClass definition.
Refresh - Updates the Objectclasses Defined list to show the latest additions or changes.
Note: Banyan recommends the you use the directory schema defined by LDAP for StreetTalk unless you plan to run an application that extends the schema.
To Add an Object Class
1. Click the Objectclasses tab.
2. Click New. The New Objectclass dialog box appears as shown in Figure 3-4.
3. In the Object Class Name option, enter a name for the object class.
4. In the Objectclass option, enter an OID for the new object class.
5. In the StreetTalk Object Class list, select the corresponding StreetTalk class.
6. Select a Kind of Objectclass by selecting a radio button in the Kind of Objectclass box.
Structural - The objectclass inherits its superior object class's required and allowed attributes, in addition to the required and allowed attributes that you assign.
Abstract - The new objectclass is compatible with X.500 directory services.
Auxiliary - The new objectclass is not affected by the directory hierarchy, and does not affect the hierarchy.
7. Use the arrow buttons to add attributes for the new object class.
8. (Optional) Use the arrow buttons to add a superior object class from the Superior Objectclasses list.
9. (Optional) Enter a text description of the new object class in the Objectclass description option.
10. (Optional) Clear the Obsolete check box to mark the new object class as current.
Existing object classes may be designated as obsolete when their use is discouraged by the LDAP governing body. In general, avoid using obsolete object classes, and do not designate object classes that you create as obsolete.
11. Click OK to add the new object class to the LDAP schema.
The new object class appears in the Objectclass defined list, in expanded view to show the details of the new object class.
LDAP Configuration Manager writes added object classes and attributes to the object class configuration file.
To Delete an Object Class
1. Click the Objectclasses tab.
2. On the Objectclasses Defined list, select the object class to delete.
3. Click Delete.
To View the Details of an Object Class
1. Click the Objectclasses tab.
2. Click the + sign next to the object class to show the details of the object class.
3. Click the - sign to collapse the display and hide the details.
LDAP services use matching rules to compare attribute values against client search values when doing search and compare operations. Matching rules are also used to identify the value to be added or deleted when you modify LDAP entries. Ranging in complexity from integerMatch to BanyanApproxMatch, matching rules can be used to find exact matches to a search value or to return attribute values that are like the search value. Every attribute has an assigned matching rule to determine when the attribute value matches a search query.
LDAP servers use matching rules to compare attribute values in entries in the LDAP directory against the client search request values when performing search and compare operations. Matching rules are also used to identify the value to be added or deleted when modifying LDAP entries, and are used when comparing an assumed distinguished name with the name of an LDAP entry.
Most attributes in the LDAP directory tree have an equality matching rule. These attributes may have other matching rules defined as well. For example:
Attribute homePhone uses matching rule 2.5.13.20 (telephoneNumberMatch) for equality matches during compare and search operations Attribute homePostalAddress uses matching rule 2.5.13.11 (caseIgnoreListMatch) for matches Matching rule caseIgnoreMatch has been expanded in Figure 3-5 to show the details of the matching rule, including its LDAP-defined Object Identification number (OID), attribute syntax, and status of the rule.
The Matching Rules dialog box includes the following buttons:
New - Adds a new matching rule. After adding a matching rule, you should use the Matching Rules Use dialog box to configure attributes to use the new matching rule.
Note: Adding matching rules is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.
Edit - Modifies a matching rule.
Delete - Removes a matching rule.
Refresh - Updates the Matching rules defined list to show the latest additions or changes.
To Add a Matching Rule
Note: Adding matching rules is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add matching rules.
1. Click the Matching Rules tab.
2. Click New. The New Matching Rule dialog box appears (Figure 3-6).
3. Enter the OID for the new matching rule.
4. Enter a name for the new matching rule.
5. From the Syntax list, select a syntax to use with the new matching rule.
6. (Optional) Enter a text description for the matching rule in the Description field.
7. (Optional) Select the Obsolete check box to define the new rule as obsolete.
Generally, new matching rules are not designated as obsolete. Only matching rules whose use is discouraged by the LDAP governing body should be declared obsolete.
To apply the new matching rule to attributes, switch to the Matching Rule Use tab and add a new matching rule use for the matching rule. Refer to "To Add a Matching Rule Use" later in this chapter for the procedure for adding a matching rule use,
To Delete a Matching Rule
1. Click the Matching Rules tab.
2. On the Matching Rules Defined list, select the rule to delete.
3. Click Delete.
To View the Details of a Matching Rule
1. Click the Matching Rules tab.
2. Click the + sign next to the matching rule to show the details of the rule.
3. Click the - sign to collapse the display and hide the details.
To associate an attribute to a matching rule, LDAP uses a matching rule use object. A matching rule use determines which attributes use a given matching rule. For example, for matching rule caseIgnoreListMatch (OID 2.5.13.11), the matching rule use caseIgnoreListMatch (OID 2.5.13.11) declares that caseIgnoreListMatch applies to attributes homepostaladdress and postaladdress. If clients perform searches for values of attribute postaladdress, LDAP uses matching rule caseIgnoreListMatch to determine if an attribute value in an entry matches the client search value for the attribute.
Matching rule uses define which matching rules are used with which attributes. In Figure 3-7, the matching rule use for integerMatch (OID 2.5.13.14) applies to attributes streettalkclass, stdaclass, and streettalkcategory. Other examples of matching rule uses include:
telephoneNumberMatch (OID 2.5.13.20) applies to attributes homephone, mobile, mobiletelephonenumber, pager, pagertelephonenumber, personalmobile, personalpager, and telephonenumber octetStringMatch (OID 2.5.13.17) applies to userpassword
The Matching Rules Use dialog box includes the following buttons:
New - Adds a new matching rule use.
Edit - Adds existing attributes to a matching rule use. Also lets you change the other defined features of a matching rule use.
Delete - Removes a matching rule use.
Refresh - Updates the Matching Rules Use Defined list to show the latest additions or changes.
1. Click the Matching Rule Use tab.
2. Click New. The New Matching Rule Use dialog box appears (Figure 3-8).
3. Enter the OID for the new matching rule use in the Matching Rule Use OID option.
4. Enter a name for the new matching rule use in the Name option.
5. From the Known Applies list, select 1 or more attributes to use the new matching rule use and click the <= arrow to add the selected attributes to the Applies list.
6. (Optional) Enter a text description for the matching rule use in the Description option.
7. (Optional) Select the Obsolete check box to define the new rule as obsolete.
Generally, new matching rule uses are not designated as obsolete. Only matching rule uses whose use is discouraged by the LDAP governing body should be declared obsolete.
To Delete a Matching Rule Use
1. Click the Matching Rule Use tab.
2. On the Matching Rules Use Defined list, select the use to delete.
3. Click Delete.
To View the Details of a Matching Rule Use
1. Click the Matching Rules Use tab.
2. Click the + sign next to the matching rule use to show the details of the rule use.
3. Click the - sign to collapse the display and hide the details.
An attribute's associated syntax determines the format of the information recorded in the attribute as well as how the attribute's values respond during LDAP operations. LDAP uses matching rules to determine how a syntax responds to search and other LDAP operations. Refer to "Managing Matching Rules" earlier in this chapter for more information about matching rules.
Attribute syntax define what kind of information can be stored in an attribute's values and how those values behave during searches and other LDAP directory operations. For example, the common name (cn=) attribute has the syntax caseIgnoreString, meaning that letter case is ignored during comparisons, and that attribute values must be character strings. Using the syntax caseIgnoreString, the common names Mary Dawes, mary dawes, and Mary dawes are the same and all three would be found during a search for cn=mary dawes.
The View Tree by Description check box changes the list views so that attribute syntax entries appear alphabetically by their optional text descriptions rather than numerically by their OIDs. Entries that do not have text descriptions are listed in numerical order by OID at the top of the list. After checking or clearing the View Tree by Description check box, click Refresh to change the list view.
The Syntax dialog box presented in Figure 3-9 includes the following buttons:
New - Adds a new attribute syntax for use by attributes.
Note: Adding syntax is not supported in LDAP for StreetTalk version 3.0. A future release of the LDAP for StreetTalk software will include the capability to add syntax.
Edit - Changes the attribute syntax description or human readable setting.
Delete - Removes an attribute syntax.
Refresh - Updates the Syntax Defined list to show the latest additions or changes.
To Add a Syntax
1. Click the Syntax tab.
2. Click New. The New Syntax dialog box appears (Figure 3-10).
3. Enter the OID for the new Syntax in the Syntax OID field.
4. (Optional) Enter a text description for the syntax in the Description field.
5. Select the Human Readable check box to indicate that the syntax is used by attributes containing values that are human readable, such as text strings.
LDAP syntax Audio, Binary, and JPEG are not human-readable (that is, attributes that use these syntax contain information that is not meant to be viewed in its binary, or raw, state). Most other syntax are readable, such as Postal Address and Telephone Number.
6. Click OK to close the dialog box.
After adding a new syntax you can add a matching rule to use the new syntax, as well as adding attributes to use the new syntax, or adding the syntax to existing attributes and matching rules.
To Delete a Syntax
1. Click the Syntax tab.
2. On the Syntax Defined list, select the syntax to delete.
3. Click Delete.
To View the Details of a Syntax
1. Click the Syntax tab.
2. Click the + sign next to the syntax to show the details of the syntax.
3. Click the - sign to collapse the display and hide the details.
