Skip Headers
Oracle® Identity Management User Reference
10g (

Part Number E10531-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

7 LDAP Schema Overview

This chapter provides an overview of some of the basic concepts of the LDAP directory schema, and provides categorized lists of the schema elements for Oracle Identity Management. This chapter contains the following topics:

7.1 Overview of Directory Schema

A directory schema specifies, among other rules, the types of objects that a directory may have and the mandatory and optional attributes of each object type. The Lightweight Directory Access Protocol (LDAP) version 3 defines a schema based on the X.500 standard for common objects found in a network, such as countries, localities, organizations, people, groups, and devices. In the LDAP v3, the schema is available from the directory. That is, it is represented as entries in the directory and its information as attributes of those entries.

7.1.1 Object Classes

An object class is an LDAP directory term that denotes the type of object being represented by a directory entry or record. There are also object classes that define an object's relationship to other objects, such as object class top denotes that the object may have subordinate objects under it in a hierarchical tree structure. Some LDAP object classes may be combined to create an entry in the directory. For example, and entry for a user uses the top, person, organizationalPerson, inetOrgPerson, and orclUserV2 object classes.

Required and Allowed Attributes

The definition of an object class includes a list of required attributes (MUST) and allowed attributes (MAY). Required attributes include the attributes that must be present in entries using the object class. Allowed attributes include the attributes that may be present in entries using the object class.

Object Class Types

The X.500 1993 specification requires that object classes be assigned to one of four categories:

  • Structural: Object classes that can have instances in the directory. Structural classes are used to create directory objects or entries.

  • Abstract: Template object classes that are used only to derive new structural classes. Abstract classes cannot be instantiated in the directory.

  • Auxiliary: A list of attributes that can be appended to the definition of a Structural or Abstract class. An Auxiliary class cannot be instantiated in the directory.

  • 88 Classes: Assigning object classes to categories was not required in the X.500 1988 specification. Classes that were defined prior to the X.500 1993 standards, default to the 88 class. Do not define new 88 classes.

Object Class Inheritance

Inheritance, which is also referred to as derivation, is the ability to build new object classes from existing object classes. The new object is defined as a subclass of the parent object. A subclass is a class that inherits from some other class; for example, a subclass inherits structure and content rules from the parent. The parent object becomes a superclass of the new object. A superclass is a class from which one or more other classes inherit information.

7.1.2 Attributes

Directory data is represented as attribute-value pairs. Any piece of information in the directory is associated with a descriptive attribute. For example, the cn (commonName) attribute is used to store a nickname. A person named William (Bill) Smith can be represented in the directory as:

cn: Bill Smith

Attribute Name Limitations

The length of an attribute name must not exceed 127 characters. For more information about attribute management, refer to the Oracle Internet Directory Administrator's Guide.

Oracle Internet Directory imposes no limitations on the characters that can be used in attribute names. Other components of Oracle Identity Management, however, do limit the characters that can be used for certain attributes.

Oracle Delegated Administration Services and Oracle Directory Integration Platform prohibit the use of spaces and of any of the following characters in UserID: & ' % ? \ / + = ( ) * ^ , ; | ' ~

Oracle Application Server Single Sign-On requires that a password should not contain the following characters: & { } < > " ' ( )

Attribute Syntax

An attribute syntax is the basic building block of an attribute. Every attribute is assigned a syntax that defines the attribute value's data format. For example, attribute syntaxes determine whether an attribute stores an integer, string, or binary data. The syntax also defines the matching rules that control the type of comparison operations you can perform on the attribute value.

Oracle Internet Directory recognizes attribute syntax as specified in RFC 2252, that is, it enables you to associate the attribute syntax described in that document with an attribute. Oracle Internet Directory enforces attribute syntax for the following types:

  • DN

  • OID (object identifier)

  • Telephone Number

The following table describes the attribute syntax most commonly used in Oracle Internet Directory:

Table 7-1 Attribute Syntax Commonly Used in Oracle Internet Directory

Syntax and Object ID Description

ACI Item

Values for this attribute are access control identifier items.


Values for this attribute are binary.


The attribute can contain only one of two values: true (1) or false (0).

Directory String

Values for this attribute are strings which are not case-sensitive.


Values for this attribute are DNs (distinguished names).

Generalized Time

Values for this attribute are encoded as printable strings. A time zone must be specified (such as GMT).


International Reference Alphabet Reference Alphabet No. 5 string. Values for this attribute are case-sensitive.


Valid values for this attribute are numbers.


Valid values for this attribute are JPEG files.


Valid values for this attribute are names or optional UIDs.


A unique object identifier.

Printable String

A string that does NOT allow extended characters. Values for this attribute are not case-sensitive.

Telephone Number

Values for this attribute are in the form of telephone numbers.

Attribute Aliases

As of 10g (, you can create aliases for attribute names. For example. you could create the user-friendly alias surname for the attribute sn. Once you create an alias for an attribute name, a user can specify the alias instead of the attribute name in an LDAP operation.

You define an alias for an attribute in the LDAP schema definition of the attribute. The directory schema operational attribute attributeTypes has been enhanced to allow you to include aliases in the attribute name list. In previous releases, the format for an attribute name list was:

attributeTypes=( ObjectIdentifier NAME 'AttributeName'  ... )
attributeTypes=( ObjectIdentifier NAME ( 'AttributeName' 'Alias1' 'Alias2' ...) ... )

As of 10g (, you may optionally specify:

This is consistent with the LDAP protocol as specified by RFC 2251 and RFC 2252. In the attribute name list, the first item is recognized as the name of the attribute and rest of the items in the list are recognized as attribute aliases. For example, to specify the alias surname for the attribute sn, you would change the schema definition for sn from:

attributeTypes=( NAME 'sn' SUP name )


attributeTypes=( NAME ( 'sn' 'surname' ) SUP name )

See Also:

For more information regarding attribute alias rules, managing attribute aliases using command-line tools, and using attribute aliases refer to the "Attribute Aliases In the Directory" section in Oracle Internet Directory Administrator's Guide

Matching Rules

Matching rules are the rules for matching two attribute values that comply with the same attribute syntax. Oracle Internet Directory recognizes the following matching rule definitions in the schema.

  • accessDirectiveMatch

  • IntegerMatch

  • bitStringMatch

  • numericStringMatch

  • caseExactMatch

  • objectIdentifierFirstComponentMatch

  • caseExactIA5Match

  • ObjectIdentifierMatch

  • caseIgnoreIA5Match

  • OctetStringMatch

  • caseIgnoreListMatch

  • presentationAddressMatch

  • caseIgnoreMatch

  • protocolInformationMatch

  • caseIgnoreOrderingMatch

  • telephoneNumberMatch

  • distinguishedNameMatch

  • uniqueMemberMatch

  • generalizedTimeMatch

  • generalizedTimeOrderingMatch

  • orclpkimatchingrule

Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:

  • distinguishedNameMatch

  • caseExactMatch

  • caseIgnoreMatch

  • numericStringMatch

  • IntegerMatch

  • telephoneNumberMatch

  • orclpkimatchingrule

Sizing of Attribute Values

Attribute syntax does not put any specific size constraint on attribute values. You can, however, specify the size of the attribute value when defining the attribute. Some attributes in Oracle Internet Directory may have size constraints defined, however length characteristics of an attribute are not enforced.

For example, to limit an attribute foo to a size of 64, you would define the attribute as follows:

(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 'object_identifier_of_syntax{64}')

Single-Valued and Multi-Valued Attributes

By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For single-valued attributes, only one instance of the attribute can be specified in an entry. For example, the attribute orclObjectGUID attribute can only have one possible value.

Attribute Usage

Attribute Usage defines how the attribute is used in the directory. The attribute usage types are:

  • userApplications - User applications attribute. This is the default attribute usage if not explicitly defined for the attribute.

  • directoryOperation - Directory operational attribute.

  • dSAOperation - DSA operational attribute.

Not User Modifiable

Attributes that are designated as "not user modifiable" can only be modified by the directory server. They cannot be modified by any other user or process.

7.1.3 LDAP Controls

As an LDAP Version 3 directory, Oracle Internet Directory extends the standard LDAP operations by using controls. These are extra pieces of information carried along with existing operations, altering the behavior of the operation. When a client application passes a control along with the standard LDAP command, the behavior of the commanded operation is altered accordingly.

Table 7-2 Controls Supported by Oracle Internet Directory

Object Identifier Name Description



Used to manage referrals, dynamic groups, and alias objects in Oracle Internet Directory. For more information, please see RFC 3296 at



Used to perform a proxy switch of an identity on an established LDAP connection. For example, suppose that Application A connects to the directory server and then wishes to switch to Application B. It can simply do a rebind by supplying the credentials of Application B.However, there are times when the proxy mechanism for the application to switch identities could be used even when the credentials are not available. With this control, Application A can switch to Application B provided Application A has the privilege in Oracle Internet Directory to proxy as Application B.



Sent by applications that require Oracle Internet Directory to check for account lockout before sending the verifiers of the user to the application. If Oracle Internet Directory detects this control in the verifier search request and the user account is locked, then Oracle Internet Directory will not send the verifiers to the application. It will send an appropriate password policy error.



Behavior determined based on the values passed with the control. Two values can be passed with the control: an integer and a string, in any order.

The string value is required for queries where the hierarchy-establishing attribute cannot be determined from the search signature, that is, the base, scope, and filter.

For searching all containers in which an entry is contained, the query filter (manger=cn=john doe,o=foo) contains the hierarchy -establishing attribute name (manager), so it does not need to be passed in the control value. The filter also contains the root of the hierarchy (cn=john doe, o=foo).

For searching all containers contained within an entry, the query filter would typically be objectclass=* and the base would be the root of the hierarchy, and there is no information about the hierarchy-establishing attribute in the search signature. Thus, it must be passed in the control value.

The integer value indicates the number of levels of the hierarchy to traverse. It can be present when querying in either direction, but is not required. If the value is zero or absent,then all levels are traversed.

Note: For more information and examples of the CONNECT_BY control refer to the section "Performing Hierarchical Searches" in

Oracle Identity Management Application Developer's Guide



Intended for a client to send the end user IP address if IP lockout is to be enforced by Oracle Internet Directory.



Used with dynamic groups. Directs the directory server to read the specific attributes of the members rather than the membership lists.



Password policy control. Request control that the client sends to get a response from the server.



Password policy control. Response control that the server sends when the pwdExpireWarning attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration.



Password policy control. The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins.



Password policy control. The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control.



The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier.



The response control that the server sends to the client when an error occurs. The response control contains the error code.



Password policy for verifier control in the search request. If the control exists, then all state policies are applied to the verifiercontrol that are applicable to the user.



Certificate search control. The request control that the client sends to specify how to search for a user certificate.



Obtains sorted results from an LDAP search, as described by IETF RFC 2891. You request sorted results by passing this control to the search function. The server returns a response control of type 1.2.840.113556.1.4.474. Error processing and other details are described in RFC 2891.

Note: For the Oracle Internet Directory implementation of RFC 2891 refer to Oracle Identity Management Application Developer's Guide..



Obtain paged results from an LDAP search, as described by IETF RFC 2696. You request sorted results by passing a control of type 1.2.840.113556.1.4.319 to the search function. Details are described in RFC 2696

Note: Sorting and paging may be used together. Also, refer to IETF RFC 2696, "LDAP Control Extension for Simple Paged Results Manipulation," at

7.2 Overview of Oracle Identity Management Schema Elements

This section lists the Oracle Identity Management schema elements by category. Each category contains a list of applicable LDAP object classes and attributes that link to the detailed information for the specified attribute or object class. The schema elements are grouped into the following categories:

7.2.1 System Operational Schema Elements

System operational schema elements are those used by the directory server. System operational object classes are used by the directory server to create entries that pertain to directory server operations. Certain system operational attributes may be available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry. This section contains the following topics: Directory Schema

This section lists the operational attributes and object classes for the directory schema.


attributeTypes, contentRules, ldapSyntaxes, matchingRules, objectClasses

Object Classes

subschema Access Control

This section lists the operational attributes for access control.


orclACI, orclEntryLevelACI Change Logs

This section lists the operational attributes for change logs.


createTimestamp, creatorsName, modifiersName, modifyTimestamp

7.2.2 Oracle Internet Directory Configuration Schema Elements

This section lists the schema elements that pertain to the configuration of Oracle Internet Directory. It contains the following topics: Garbage Collection

This section lists the attributes and object classes that pertain to the configuration of garbage collection.


orclPurgeBase, orclPurgeDebug, orclPurgeEnable, orclPurgeFileLoc, orclPurgeFileName, orclPurgeFilter, orclPurgeInterval, orclPurgeNow, orclPurgePackage, orclPurgeStart, orclPurgeTargetAge, orclPurgeTranSize

Object Classes

orclPurgeConfig, tombstone Attribute Uniqueness

This section lists the attributes and object classes that pertain to the configuration of attribute uniqueness.


orclUniqueAttrName, orclUniqueEnable, orclUniqueObjectClass, orclUniqueScope, orclUniqueSubtree

Object Classes


7.2.6 Oracle Directory Integration Platform Schema Elements

This section lists the schema elements for Oracle Directory Integration Platform. It contains the following topics: Applications

This section lists the attributes and object classes for Oracle Directory Integration Platform applications.


orclApplicationType, orclInterval, orclODIPAgent, orclODIPApplicationName, orclODIPCommand, orclODIPDbConnectInfo, orclODIPEventSubscriptions, orclOwnerGUID, orclStatus, orclVersion

Object Classes

orclODIPApplicationCommonConfig, orclODIPAppSubscription Change Logs

This section lists the attributes and object classes for Oracle Directory Integration Platform change logs.


orclLastAppliedChangeNumber, orclSubscriberDisable, serverName, userPassword

Object Classes

orclChangeSubscriber Profiles

This section the attributes and object classes for Oracle Directory Integration Platform synchronization and provisioning profiles.


cn, orclODIPAgentConfigInfo, orclODIPAgentControl, orclODIPAgentExeCommand, orclODIPAgentHostName, orclODIPAgentName, orclODIPAgentPassword, orclODIPAttributeMappingRules, orclODIPBootStrapStatus, orclODIPConDirAccessAccount, orclODIPConDirAccessPassword, orclODIPConDirLastAppliedChgNum, orclODIPConDirMatchingFilter, orclODIPConDirURL, orclODIPEncryptedAttrKey, orclODIPInterfaceType, orclODIPLastExecutionTime, orclODIPLastSuccessfulExecutionTime, orclODIPOIDMatchingFilter, orclODIPProfileDebugLevel, orclODIPProfileExecGroupID, orclODIPProfileInterfaceAdditionalInformation, orclODIPProfileInterfaceConnectInformation, orclODIPProfileInterfaceName, orclODIPProfileInterfaceType, orclODIPProfileInterfaceVersion, orclODIPProfileLastAppliedAppEventID, orclODIPProfileLastProcessingTime, orclODIPProfileLastSuccessfulProcessingTime, orclODIPProfileMaxErrors, orclODIPProfileMaxEventsPerInvocation, orclODIPProfileMaxEventsPerSchedule, orclODIPProfileMaxRetries, orclODIPProfileName, orclODIPProfileProcessingErrors, orclODIPProfileProcessingStatus, orclODIPProfileSchedule, orclODIPProvisioningAppGUID, orclODIPProvisioningAppName, orclODIPProvisioningEventMappingRules, orclODIPProvisioningEventPermittedOperations, orclODIPProvisioningEventSubscription, orclODIPProvisioningOrgGUID, orclODIPProvisioningOrgName, orclODIPSchedulingInterval, orclODIPSynchronizationErrors, orclODIPSynchronizationMode, orclODIPSynchronizationStatus, orclODIPSyncRetryCount, orclPasswordAttribute, orclStatus, orclVersion, userPassword

Object Classes

orclODIPIntegrationProfile, orclODIProfile, orclODIPProvisioningIntegrationProfile, orclODIPProvisioningIntegrationProfileV2, orclODIPProvisioningIntegrationOutBoundProfile, orclODIPProvisioningIntegrationOutBoundProfileV2 Schema

This section lists the attributes and object classes for Oracle Directory Integration Platform schema information.


orclODIPApplicationsLocation, orclODIPInstancesLocation, orclODIPObjectDefnLocation, orclODIPProvProfileLocation, orclODIPRootLocation, orclODIPSchemaVersion, orclODIPServerConfigLocation, orclODIPSyncProfileLocation

Object Classes

orclODIPSchemaDetails Active Directory Users

The following attributes and object classes are used for users that are imported into Oracle Internet Directory from Microsoft Active Directory using Oracle Directory Integration Platform.


orclObjectGUID, orclObjectSID, orclSAMAccountName, orclUserPrincipalName

Object Classes

orclADGroup, orclADUser, orclNTUser

7.2.8 Oracle Application Server Certificate Authority and PKI Schema Elements

This section lists the attributes and object classes that pertain to public key infrastructure (PKI), certificates, and Oracle Application Server Certificate Authority.


orclCertExtensionAttribute, orclCertExtensionOID, orclCertificateHash, orclCertificateMatch, orclCertMappingAttribute, orclPKINextUpdate, orclPKIValMecAttr, x509issuer

Object Classes

orclCertIdMapping, orclPKICRL, orclPKIValMecCl

7.2.12 Directory User Agents Schema Elements

This section lists the attributes and object classes for configuring directory user agents (DUAs).


attributeMap, authenticationMethod, bindTimeLimit, cn, credentialLevel, defaultSearchBase, defaultSearchScope, defaultServerList, followReferrals, objectClass, objectClassMap, preferredServerList, profileTTL, searchTimeLimit, serviceAuthenticationMethod, serviceCredentialLevel, serviceSearchDescriptor

Object Classes


7.2.13 User, Group, and Subscriber Schema Elements

This section lists the attributes and object classes used for users, groups, and subscribers. It contains the following topics: Groups

Oracle Internet Directory uses the standard object classes groupOfNames and groupOfUniqueNames as defined in RFC 2256. In addition to the standard attributes and object classes, the following are also used for groups.


displayName, mail, orclGlobalID, orclIsVisible

Object Classes

orclGroup Dynamic Groups

This section lists the attributes and object classes for dynamic groups.


labeledURI, mail, orclConnectByAttribute, orclConnectBySearchBase, orclConnectByStartingValue

Object Classes


7.2.15 Password Verifier Schema Elements

This section lists the attributes and object classes that pertain to password verifiers.


cn, displayName, orclAppId, orclPwdVerifierParams, owner

Object Classes