Linux LDAP Tutorial: Add new LDAP object and attribute definitions to your OpenLDAP directory

Introduction:

This tutorial refers to OpenLDAP 2.0 on Red Hat Linux 7.1.

The predefined LDAP data types are found in /etc/openldap/schema/

LDAP data definitions require objects and attributes:

Object definitions are collections of LDAP attributes.
Attributes are LDAP data types.

In all cases the objects and attributes are identified by an OID number which uniquely identifies the object and attribute. This tutorial will use the OID's reserved by OpenLDAP.org for "experimantal use". (1.3.6.1.4.1.4203.666.XXX where XXX is any integer number) One should register with the IANA and get their own assignment of OID's for their organization.

1) Object Definition:

LDAP object description is defined in RFC2252.

ObjectClassDescription = "(" whsp
    numericoid whsp             ; ObjectClass identifier
    [ "NAME" qdescrs ]
    [ "DESC" qdstring ]
    [ "OBSOLETE" whsp ]
    [ "SUP" oids ]              ; Superior ObjectClasses
    [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
                                ; default structural
    [ "MUST" oids ]             ; AttributeTypes
    [ "MAY" oids ]              ; AttributeTypes
whsp ")"

whsp is a space (' ')
numericoid is a globally unique OID in numeric form (e.g. 1.2.3)
qdescrs is one or more names
oids is one or more names and/or OIDs.

File: /etc/openldap/schema/new-object.schema

objectClass     ( 1.3.6.1.4.1.4203.666.1.100
    NAME 'YoLinuxPerson'
        DESC 'X-Person'
    SUP inetOrgPerson
    STRUCTURAL
        MAY  ( personStatus $ preferredEmail $ mail2 $
               businessName $ xmozillanickname $
               birthdate $ c )
        )

Discussion:

The object definition shown inherits the data object as defined by inetOrgPerson and extends the definition with six attributes.

The definition for "c" (country) is defined in /etc/openldap/schema/core.schema.

Notes:

If you remove an attribute from the object definition, restart LDAP and then try to update the object, an update failure will occur: "Object Violation". This occured to an attribute which held some data in the deleted attribute.
In general I would recommend that you properly create the object you want and then don't change it.

2) Attribute Definition:

LDAP attribute description is also defined in RFC2252.

AttributeTypeDescription = "(" whsp
      numericoid whsp              ; AttributeType identifier
    [ "NAME" qdescrs ]             ; name used in AttributeType
    [ "DESC" qdstring ]            ; description
    [ "OBSOLETE" whsp ]
    [ "SUP" woid ]                 ; derived from this other
                                   ; AttributeType
    [ "EQUALITY" woid              ; Matching Rule name
    [ "ORDERING" woid              ; Matching Rule name
    [ "SUBSTR" woid ]              ; Matching Rule name
    [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
    [ "SINGLE-VALUE" whsp ]        ; default multi-valued
    [ "COLLECTIVE" whsp ]          ; default not collective
    [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
    [ "USAGE" whsp AttributeUsage ]; default userApplications
    whsp ")"

File: /etc/openldap/schema/new-attributes.schema

# New attribute definitions:

attributetype ( 1.3.6.1.4.1.4203.666.1.90
        NAME 'personStatus'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.91
        NAME 'preferredEmail'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.92
        NAME 'mail2'
        DESC 'RFC1274: RFC822 Mailbox'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.4203.666.1.93
        NAME 'businessName'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.94
        NAME 'xmozillanickname'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )

attributetype ( 1.3.6.1.4.1.4203.666.1.95 NAME 'birthdate' SUP name )

More Attribute Definition Details:

Inheritance of an existing attribute type:
```
 
    attributetype ( 2.5.4.31 NAME 'member' SUP distinguishedName )
    
```
This example is taken from the core.schema schema file and shows that the newly defined attribute "member" will be of the same defined data type as "distinguishedName".
See:
- List of attributes - (Big list)
Assign two attribute names to the same data field:
```
    attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) SUP name )
          
```
This example from the core.schema schema file shows that the attribute name "l" and "localityName" refer to the same attribute.
Defining the data type explicitly:
```
    attributetype ( 2.5.4.15 NAME 'businessCategory'
            EQUALITY caseIgnoreMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
         
```
This example from the core.schema schema file shows that the attribute definition for "businessCategory" allows for search comparisons for records which are equal (EQUALITY) or contains a given substring (SUBSTR). In this case an equality comparison performs a caee insensitive comparison. The substring match is also case insensitive.
See:
- Table 6.4 for a full list of matching rules.
The data type has also been defined to be of type "Directory String" which is encoded in the UTF-8 form of ISO 10646 (a superset of Unicode) of a maximum length of 128 characters. ( {128} ). The OID 1.3.6.1.4.1.1466.115.121.1.15 represents this data type.
See list of sytax names and OID's:
- LDAP schema: Object ID's
- Table 6.3 for a list of syntaxes (data types).

3) Adding Object and Attributes to SLAPD configuration:

File: /etc/openldap/slapd.conf

.
..
...
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/new-attributes.schema
include         /etc/openldap/schema/new-object.schema
...
..
.

Note: The order is important. The attributes must be read before they can be included in the object definition.

LDIF:

Example:

dn: cn=Schemp Anderson,o=family
cn: Schemp Anderson
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: YoLinuxPerson
mail: SAnderson@isp.com
givenname: Schemp
sn: Anderson
ou: MemberGroupB
street: 16 Cherry St.
l: Dallas
st: TX
postalcode: 76888
c: US
pager: 800-555-1319
homePhone: 800-555-1313
mobile: 800-555-1318
birthdate: 10/2/23
mail2: SAnderson@isp.com
preferredEmail: 1
businessName: ABC Inc.
xmozillanickname: The boring new guy

Note that the LDIF file contains data attributes associated with the "inetOrgPerson" object and "YoLinux" object extentions. This is commonly referred to as object inheritance.

Links:

YoLinux GILSE schema extentions and example - Support for MS/Outlook and Netscape Communicator address books.
OpenLDAP.org: Schema Specification - Chapter 8 Open LDAP 2.0 manual.
OpenLDAP OID description

Books:

	"Understanding And Deploying LDAP Directory Services", by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good, ISBN 0672323168, Addison-Wesley Pub Co Second edition. It is general in nature but complete in that it covers all concepts in depth. It is a good book for those wanting to understand everything about LDAP, schema development and its' capabilities.
	"Understanding And Deploying LDAP Directory Services", by Timothy A. Howes,Phd, Mark C. Smith and Gordon S. Good, ISBN 1-57870-070-1, MacMillan Technical Publishing First edition out of print. (Used only) See second edition above. This is the largest LDAP book I own. It is general in nature but complete in that it covers all concepts in depth. It is NOT a good programmers reference but it is good for those wanting to understand everything about LDAP, schema development and its' capabilities. Netscape centric.
	"Programming Directory-Enabled Applications with Lightweight Directory Access Protocol" by Timothy A. Howes,Phd and Mark C. Smith ISBN 1-57870-000-0, MacMillan Technical Publishing Excellent programmers reference for those using the LDAP C language API. Also covers search filters and LDAP URL's. The OpenLDAP source code is so poorly commented that I found this book often was the only source for an explanation of what was happening in the code.
	"Implementing LDAP", Mark Wilcok ISBN 1-861002-21-1, WROK Press This book covers all aspects of LDAP from LDIF to the LDAP SDK in C, PERL and JAVA. It has a strong Netscape Directory server bias.
	"LDAP System Administration", Gerald Carter ISBN 1565924916, O'Reilly & Associates This book covers the use of OpenLDAP and the integration of services.
	"LDAP Programming, Management and Integration", Clayton Donley ISBN 1930110405, Manning Publications; 1st edition This book covers LDAP administration as well as introductory information. It covers the directory services markup language (DSML), PERL LDAP module as well as JAVA JNDI.
	"Understanding LDAP - Design and Implementation" - IBM-Redbooks Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman IBM Redbook #SG24-4986-00 A reference to ldap, available as PDF as well. This book has a bias towards IBM's E-network LDAP Directory server. Tight, terse, but covers everything.
	"LDAP Implementation and Practical Use" IBM Redbook #SG24-6193-00