summaryrefslogtreecommitdiffstats
path: root/doc/guide/admin/schema.sdf
diff options
context:
space:
mode:
Diffstat (limited to 'doc/guide/admin/schema.sdf')
-rw-r--r--doc/guide/admin/schema.sdf491
1 files changed, 491 insertions, 0 deletions
diff --git a/doc/guide/admin/schema.sdf b/doc/guide/admin/schema.sdf
new file mode 100644
index 0000000..4e23e2d
--- /dev/null
+++ b/doc/guide/admin/schema.sdf
@@ -0,0 +1,491 @@
+# $OpenLDAP$
+# Copyright 1999-2021 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Schema Specification
+
+This chapter describes how to extend the user schema used by
+{{slapd}}(8). The chapter assumes the reader is familiar with the
+{{TERM:LDAP}}/{{TERM:X.500}} information model.
+
+The first section, {{SECT:Distributed Schema Files}} details optional
+schema definitions provided in the distribution and where to obtain
+other definitions.
+The second section, {{SECT:Extending Schema}}, details how to define
+new schema items.
+!if 0
+The third section, {{SECT:Transferring Schema}} details how you can
+export schema definitions from an LDAPv3 server and transform it
+to {{slapd.conf}}(5) format.
+!endif
+
+This chapter does not discuss how to extend system schema used by
+{{slapd}}(8) as this requires source code modification. System
+schema includes all operational attribute types or any object class
+which allows or requires an operational attribute (directly or
+indirectly).
+
+
+H2: Distributed Schema Files
+
+OpenLDAP Software is distributed with a set of schema specifications for
+your use. Each set is defined in a file suitable for inclusion
+(using the {{EX:include}} directive) in your {{slapd.conf}}(5)
+file. These schema files are normally installed in the
+{{F:/usr/local/etc/openldap/schema}} directory.
+
+!block table; colaligns="LR"; coltags="F,N"; align=Center; \
+ title="Table 8.1: Provided Schema Specifications"
+File Description
+core.schema OpenLDAP {{core}} (required)
+cosine.schema Cosine and Internet X.500 (useful)
+inetorgperson.schema InetOrgPerson (useful)
+misc.schema Assorted (experimental)
+nis.schema Network Information Services (FYI)
+openldap.schema OpenLDAP Project (experimental)
+!endblock
+
+To use any of these schema files, you only need to include the
+desired file in the global definitions portion of your
+{{slapd.conf}}(5) file. For example:
+
+> # include schema
+> include /usr/local/etc/openldap/schema/core.schema
+> include /usr/local/etc/openldap/schema/cosine.schema
+> include /usr/local/etc/openldap/schema/inetorgperson.schema
+
+Additional files may be available. Please consult the OpenLDAP
+{{TERM:FAQ}} ({{URL:http://www.openldap.org/faq/}}).
+
+Note: You should not modify any of the schema items defined
+in provided files.
+
+
+H2: Extending Schema
+
+Schema used by {{slapd}}(8) may be extended to support additional
+syntaxes, matching rules, attribute types, and object classes. This
+chapter details how to add user application attribute types and
+object classes using the syntaxes and matching rules already supported
+by slapd. slapd can also be extended to support additional syntaxes,
+matching rules and system schema, but this requires some programming
+and hence is not discussed here.
+
+There are five steps to defining new schema:
+^ obtain Object Identifier
++ choose a name prefix
++ create local schema file
++ define custom attribute types (if necessary)
++ define custom object classes
+
+
+H3: Object Identifiers
+
+Each schema element is identified by a globally unique {{TERM[expand]OID}}
+(OID). OIDs are also used to identify other objects. They are
+commonly found in protocols described by {{TERM:ASN.1}}. In
+particular, they are heavily used by the {{TERM[expand]SNMP}} (SNMP).
+As OIDs are hierarchical, your organization can obtain one OID and
+branch it as needed. For example, if your organization were assigned
+OID {{EX:1.1}}, you could branch the tree as follows:
+
+!block table; colaligns="LR"; coltags="EX,N"; align=Center; \
+ title="Table 8.2: Example OID hierarchy"
+OID Assignment
+1.1 Organization's OID
+1.1.1 SNMP Elements
+1.1.2 LDAP Elements
+1.1.2.1 AttributeTypes
+1.1.2.1.1 x-my-Attribute
+1.1.2.2 ObjectClasses
+1.1.2.2.1 x-my-ObjectClass
+!endblock
+
+You are, of course, free to design a hierarchy suitable to your
+organizational needs under your organization's OID. No matter what hierarchy you choose, you should maintain a registry of assignments you make. This can be a simple flat file or something more sophisticated such as the {{OpenLDAP OID Registry}} ({{URL:http://www.openldap.org/faq/index.cgi?file=197}}).
+
+For more information about Object Identifiers (and a listing service)
+see {{URL:http://www.alvestrand.no/objectid/}}.
+
+.{{Under no circumstances should you hijack OID namespace!}}
+
+To obtain a registered OID at {{no cost}}, apply for a OID
+under the {{ORG[expand]IANA}} (ORG:IANA) maintained {{Private Enterprise}} arc.
+Any private enterprise (organization) may request a {{TERM[expand]PEN}} (PEN) to be assigned under this arc. Just fill out the IANA form at {{URL: http://pen.iana.org/pen/PenApplication.page}} and your official PEN will be sent to you usually within a few days. Your base OID will be something like {{EX:1.3.6.1.4.1.X}} where {{EX:X}} is an integer.
+
+Note: PENs obtained using this form may be used for any purpose
+including identifying LDAP schema elements.
+
+Alternatively, OID name space may be available from a national
+authority (e.g., {{ORG:ANSI}}, {{ORG:BSI}}).
+
+
+H3: Naming Elements
+
+In addition to assigning a unique object identifier to each schema
+element, you should provide at least one textual name for each
+element. Names should be registered with the {{ORG:IANA}} or
+prefixed with "x-" to place in the "private use" name space.
+
+The name should be both descriptive and not likely to clash with
+names of other schema elements. In particular, any name you choose
+should not clash with present or future Standard Track names (this
+is assured if you registered names or use names beginning with "x-").
+
+It is noted that you can obtain your own registered name
+prefix so as to avoid having to register your names individually.
+See {{REF:RFC4520}} for details.
+
+In the examples below, we have used a short prefix '{{EX:x-my-}}'.
+Such a short prefix would only be suitable for a very large, global
+organization. In general, we recommend something like '{{EX:x-de-Firm-}}'
+(German company) or '{{EX:x-com-Example}}' (elements associated with
+organization associated with {{EX:example.com}}).
+
+
+H3: Local schema file
+
+The {{EX:objectclass}} and {{EX:attributeTypes}} configuration file
+directives can be used to define schema rules on entries in the
+directory. It is customary to create a file to contain definitions
+of your custom schema items. We recommend you create a file
+{{F:local.schema}} in {{F:/usr/local/etc/openldap/schema/local.schema}}
+and then include this file in your {{slapd.conf}}(5) file immediately
+after other schema {{EX:include}} directives.
+
+> # include schema
+> include /usr/local/etc/openldap/schema/core.schema
+> include /usr/local/etc/openldap/schema/cosine.schema
+> include /usr/local/etc/openldap/schema/inetorgperson.schema
+> # include local schema
+> include /usr/local/etc/openldap/schema/local.schema
+
+
+H3: Attribute Type Specification
+
+The {{attributetype}} directive is used to define a new attribute
+type. The directive uses the same Attribute Type Description
+(as defined in {{REF:RFC4512}}) used by the attributeTypes
+attribute found in the subschema subentry, e.g.:
+
+E: attributetype <{{REF:RFC4512}} Attribute Type Description>
+
+where Attribute Type Description is defined by the following
+{{TERM:ABNF}}:
+
+> AttributeTypeDescription = "(" whsp
+> numericoid whsp ; AttributeType identifier
+> [ "NAME" qdescrs ] ; name used in AttributeType
+> [ "DESC" qdstring ] ; description
+> [ "OBSOLETE" whsp ]
+> [ "SUP" woid ] ; derived from this other
+> ; AttributeType
+> [ "EQUALITY" woid ; Matching Rule name
+> [ "ORDERING" woid ; Matching Rule name
+> [ "SUBSTR" woid ] ; Matching Rule name
+> [ "SYNTAX" whsp noidlen whsp ] ; Syntax OID
+> [ "SINGLE-VALUE" whsp ] ; default multi-valued
+> [ "COLLECTIVE" whsp ] ; default not collective
+> [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
+> [ "USAGE" whsp AttributeUsage ]; default userApplications
+> whsp ")"
+>
+> AttributeUsage =
+> "userApplications" /
+> "directoryOperation" /
+> "distributedOperation" / ; DSA-shared
+> "dSAOperation" ; DSA-specific, value depends on server
+>
+
+where whsp is a space ('{{EX: }}'), numericoid is a globally unique
+OID in dotted-decimal form (e.g. {{EX:1.1.0}}), qdescrs is one or
+more names, woid is either the name or OID optionally followed
+by a length specifier (e.g {{EX:{10}}}).
+
+For example, the attribute types {{EX:name}} and {{EX:cn}} are defined
+in {{F:core.schema}} as:
+
+> attributeType ( 2.5.4.41 NAME 'name'
+> DESC 'name(s) associated with the object'
+> EQUALITY caseIgnoreMatch
+> SUBSTR caseIgnoreSubstringsMatch
+> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+> attributeType ( 2.5.4.3 NAME ( 'cn' 'commonName' )
+> DESC 'common name(s) associated with the object'
+> SUP name )
+
+Notice that each defines the attribute's OID, provides a short name,
+and a brief description. Each name is an alias for the OID.
+{{slapd}}(8) returns the first listed name when returning results.
+
+The first attribute, {{EX:name}}, holds values of {{EX:directoryString}}
+({{TERM:UTF-8}} encoded Unicode) syntax. The syntax is
+specified by OID (1.3.6.1.4.1.1466.115.121.1.15 identifies the
+directoryString syntax). A length recommendation of 32768 is
+specified. Servers should support values of this length, but may
+support longer values. The field does NOT specify a size constraint,
+so is ignored on servers (such as slapd) which don't impose such
+size limits. In addition, the equality and substring matching uses
+case ignore rules. Below are tables listing commonly used syntax
+and matching rules ({{slapd}}(8) supports these and many more).
+
+!block table; align=Center; coltags="EX,EX,N"; \
+ title="Table 8.3: Commonly Used Syntaxes"
+Name OID Description
+boolean 1.3.6.1.4.1.1466.115.121.1.7 boolean value
+directoryString 1.3.6.1.4.1.1466.115.121.1.15 Unicode (UTF-8) string
+distinguishedName 1.3.6.1.4.1.1466.115.121.1.12 LDAP {{TERM:DN}}
+integer 1.3.6.1.4.1.1466.115.121.1.27 integer
+numericString 1.3.6.1.4.1.1466.115.121.1.36 numeric string
+OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
+octetString 1.3.6.1.4.1.1466.115.121.1.40 arbitrary octets
+!endblock
+
+>
+
+!block table; align=Center; coltags="EX,N"; \
+ title="Table 8.4: Commonly Used Matching Rules"
+Name Type Description
+booleanMatch equality boolean
+caseIgnoreMatch equality case insensitive, space insensitive
+caseIgnoreOrderingMatch ordering case insensitive, space insensitive
+caseIgnoreSubstringsMatch substrings case insensitive, space insensitive
+caseExactMatch equality case sensitive, space insensitive
+caseExactOrderingMatch ordering case sensitive, space insensitive
+caseExactSubstringsMatch substrings case sensitive, space insensitive
+distinguishedNameMatch equality distinguished name
+integerMatch equality integer
+integerOrderingMatch ordering integer
+numericStringMatch equality numerical
+numericStringOrderingMatch ordering numerical
+numericStringSubstringsMatch substrings numerical
+octetStringMatch equality octet string
+octetStringOrderingMatch ordering octet string
+octetStringSubstringsMatch ordering octet string
+objectIdentiferMatch equality object identifier
+!endblock
+
+The second attribute, {{EX:cn}}, is a subtype of {{EX:name}} hence
+it inherits the syntax, matching rules, and usage of {{EX:name}}.
+{{EX:commonName}} is an alternative name.
+
+Neither attribute is restricted to a single value. Both are meant
+for usage by user applications. Neither is obsolete nor collective.
+
+The following subsections provide a couple of examples.
+
+
+H4: x-my-UniqueName
+
+Many organizations maintain a single unique name for each user.
+Though one could use {{EX:displayName}} ({{REF:RFC2798}}), this
+attribute is really meant to be controlled by the user, not the
+organization. We could just copy the definition of {{EX:displayName}}
+from {{F:inetorgperson.schema}} and replace the OID, name, and
+description, e.g:
+
+> attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
+> DESC 'unique name with my organization'
+> EQUALITY caseIgnoreMatch
+> SUBSTR caseIgnoreSubstringsMatch
+> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+> SINGLE-VALUE )
+
+However, if we want this name to be used in {{EX:name}} assertions,
+e.g. {{EX:(name=*Jane*)}}, the attribute could alternatively be
+defined as a subtype of {{EX:name}}, e.g.:
+
+> attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
+> DESC 'unique name with my organization'
+> SUP name )
+
+
+H4: x-my-Photo
+
+Many organizations maintain a photo of each each user. A
+{{EX:x-my-Photo}} attribute type could be defined to hold a photo.
+Of course, one could use just use {{EX:jpegPhoto}} ({{REF:RFC2798}})
+(or a subtype) to hold the photo. However, you can only do
+this if the photo is in {{JPEG File Interchange Format}}.
+Alternatively, an attribute type which uses the {{Octet String}}
+syntax can be defined, e.g.:
+
+> attributetype ( 1.1.2.1.2 NAME 'x-my-Photo'
+> DESC 'a photo (application defined format)'
+> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+> SINGLE-VALUE )
+
+In this case, the syntax doesn't specify the format of the photo.
+It's assumed (maybe incorrectly) that all applications accessing
+this attribute agree on the handling of values.
+
+If you wanted to support multiple photo formats, you could define
+a separate attribute type for each format, prefix the photo
+with some typing information, or describe the value using
+{{TERM:ASN.1}} and use the {{EX:;binary}} transfer option.
+
+Another alternative is for the attribute to hold a {{TERM:URI}}
+pointing to the photo. You can model such an attribute after
+{{EX:labeledURI}} ({{REF:RFC2079}}) or simply create a subtype,
+e.g.:
+
+> attributetype ( 1.1.2.1.3 NAME 'x-my-PhotoURI'
+> DESC 'URI and optional label referring to a photo'
+> SUP labeledURI )
+
+
+H3: Object Class Specification
+
+The {{objectclasses}} directive is used to define a new object
+class. The directive uses the same Object Class Description
+(as defined in {{REF:RFC4512}}) used by the objectClasses
+attribute found in the subschema subentry, e.g.:
+
+E: objectclass <{{REF:RFC4512}} Object Class Description>
+
+where Object Class Description is defined by the following
+{{TERM:ABNF}}:
+
+> ObjectClassDescription = "(" whsp
+> numericoid whsp ; ObjectClass identifier
+> [ "NAME" qdescrs ]
+> [ "DESC" qdstring ]
+> [ "OBSOLETE" whsp ]
+> [ "SUP" oids ] ; Superior ObjectClasses
+> [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
+> ; default structural
+> [ "MUST" oids ] ; AttributeTypes
+> [ "MAY" oids ] ; AttributeTypes
+> whsp ")"
+
+where whsp is a space ('{{EX: }}'), numericoid is a globally unique
+OID in dotted-decimal form (e.g. {{EX:1.1.0}}), qdescrs is one or more
+names, and oids is one or more names and/or OIDs.
+
+
+H4: x-my-PhotoObject
+
+To define an {{auxiliary}} object class which allows
+x-my-Photo to be added to any existing entry.
+
+> objectclass ( 1.1.2.2.1 NAME 'x-my-PhotoObject'
+> DESC 'mixin x-my-Photo'
+> AUXILIARY
+> MAY x-my-Photo )
+
+
+H4: x-my-Person
+
+If your organization would like have a private {{structural}}
+object class to instantiate users, you can subclass one of
+the existing person classes, such as {{EX:inetOrgPerson}}
+({{REF:RFC2798}}), and add any additional attributes which
+you desire.
+
+> objectclass ( 1.1.2.2.2 NAME 'x-my-Person'
+> DESC 'my person'
+> SUP inetOrgPerson
+> MUST ( x-my-UniqueName $ givenName )
+> MAY x-my-Photo )
+
+The object class inherits the required/allowed attribute
+types of {{EX:inetOrgPerson}} but requires {{EX:x-my-UniqueName}}
+and {{EX:givenName}} and allows {{EX:x-my-Photo}}.
+
+!if 0
+H2: Transferring Schema
+
+Since the {{slapd.conf}}(5) schema directives use {{REF:RFC4512}}
+format values, you can extract schema elements published by any
+{{TERM:LDAPv3}} server and easily construct directives for use with
+{{slapd}}(8).
+
+LDAPv3 servers publish schema elements in special {{subschema}}
+entries (or subentries). While {{slapd}}(8) publishes a single
+subschema subentry normally named {{EX:cn=Subschema}}, this behavior
+cannot be expected from other servers. The subschema subentry
+controlling a particular entry can be obtained by examining the
+{{EX:subschemaSubentry}} attribute contained in the entry at the
+root of each administrative context. For example,
+
+> ldapsearch -LLL -x -b "dc=example,dc=com" -s base "(objectclass=*)" subschemaSubentry
+
+To obtain the schema from a subschema subentry, you can use
+ldapsearch(1) as follows (replace the search base as needed):
+
+> ldapsearch -LLL -x -b "cn=Subschema" -s base "(objectclass=subschema)" attributeTypes objectClasses
+
+where "cn=Subschema" is the value of subschemaSubentry returned in
+the prior search.
+
+This will return {{TERM:LDIF}} output containing many type/value
+pairs. The following is an abbreviated example:
+
+> dn: cn=Subschema
+> objectClasses: ( 1.1.2.2.2 NAME 'x-my-Person' DESC 'my person' SUP inet
+> OrgPerson MUST ( x-my-UniqueName $ givenName ) MAY x-my-Photo )
+> attributeTypes: ( 1.1.2.1.1 NAME 'x-my-UniqueName' DESC 'unique name wi
+> th my organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin
+> gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+> attributeTypes: ( 1.1.2.1.2 NAME 'x-my-Photo' DESC 'a photo (applicatio
+> n defined format)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+
+Capture the output of the search in a file and then edit the file:
+
++ to contain only desired type/value pairs
+^ join LDIF continuation lines
+^ replace attribute type with directive name
+(e.g. {{EX:s/attributeTypes:/attributeType /}} and
+{{EX:s/objectClasses:/objectClass /}}).
+^ reorder lines so each element is defined before first use
+^ continue long directives over multiple lines
+
+For the three type/value pairs in our example, the edit should
+result in a file with contains of:
+
+> attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
+> DESC 'unique name with my organization'
+> EQUALITY caseIgnoreMatch
+> SUBSTR caseIgnoreSubstringsMatch
+> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+> SINGLE-VALUE )
+> attributeType ( 1.1.2.1.2 NAME 'x-my-Photo'
+> DESC 'a photo (application defined format)'
+> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+> objectClass ( 1.1.2.2.2 NAME 'x-my-Person'
+> DESC 'my person'
+> SUP inetOrgPerson
+> MUST ( x-my-UniqueName $ givenName )
+> MAY x-my-Photo )
+
+Save in an appropriately named file (e.g. {{F:local.schema}}).
+You may now include this file in your {{slapd.conf}}(5) file.
+!endif
+
+
+H3: OID Macros
+
+To ease the management and use of OIDs, {{slapd}}(8) supports
+{{Object Identifier}} macros. The {{EX:objectIdentifier}} directive
+is used to equate a macro (name) with a OID. The OID may possibly
+be derived from a previously defined OID macro. The {{slapd.conf}}(5)
+syntax is:
+
+E: objectIdentifier <name> { <oid> | <name>[:<suffix>] }
+
+The following demonstrates definition of a set of OID macros
+and their use in defining schema elements:
+
+> objectIdentifier myOID 1.1
+> objectIdentifier mySNMP myOID:1
+> objectIdentifier myLDAP myOID:2
+> objectIdentifier myAttributeType myLDAP:1
+> objectIdentifier myObjectClass myLDAP:2
+> attributetype ( myAttributeType:3 NAME 'x-my-PhotoURI'
+> DESC 'URI and optional label referring to a photo'
+> SUP labeledURI )
+> objectclass ( myObjectClass:1 NAME 'x-my-PhotoObject'
+> DESC 'mixin x-my-Photo'
+> AUXILIARY
+> MAY x-my-Photo )
+