C
Schema Elements

This appendix briefly lists different schema elements supported by Oracle Internet Directory. Most of these elements are used as defined by the ldapext and ASID working groups of the Internet Engineering Task Force (IETF).

See Also: The following URLs on the World Wide Web: http://www.ietf.org for the IETF home page http://www.ietf.org/html.charters/ldapext-charter.html for the ldapext charter and LDAP drafts) http://www.ietf.org/html.charters/ ldup-charter.html for the LDUP charter and drafts http://www.iana.org, the Internet Assigned Numbers Authority home page, for information about object identifiers

This appendix contains these topics:

• IETF Requests for Comments (RFCs) Enforced by Oracle Internet Directory

• IETF Drafts Enforced by Oracle Internet Directory

• Proprietary Oracle Internet Directory Schema Elements

• LDAP Syntax

• Matching Rules

IETF Requests for Comments (RFCs) Enforced by Oracle Internet Directory

Oracle Internet Directory enforces the following Requests for Comments (RFCs) of the Internet Engineering Task Force (IETF):

RFC	Title	URL
1777	Lightweight Directory Access Protocol	http://www.ietf.org/rfc/rfc1777.txt
1778	The String Representation of Standard Attribute Syntaxes	http://www.ietf.org/rfc/rfc1778.txt
1779	A String Representation of Distinguished Names	http://www.ietf.org/rfc/rfc1779.txt
1960	A String Representation of LDAP Search Filters	http://www.ietf.org/rfc/rfc1960
2079	Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)	http://www.ietf.org/rfc/rfc2079.txt
2247	Using Domains in LDAP/X.500 Distinguished Names	http://www.ietf.org/rfc/rfc2247.txt
2251	Lightweight Directory Access Protocol (v3)	http://www.ietf.org/rfc/rfc2251.txt
2252	Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions	http://www.ietf.org/rfc/rfc2252.txt
2253	Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names	http://www.ietf.org/rfc/rfc2253.txt
2254	The String Representation of LDAP Search Filters	http://www.ietf.org/rfc/rfc2254.txt
2255	The LDAP URL Format	http://www.ietf.org/rfc/rfc2255.txt
2256	A Summary of the X.500(96) User Schema for use with LDAPv3	http://www.ietf.org/rfc/rfc2256.txt

IETF Drafts Enforced by Oracle Internet Directory

Oracle Internet Directory enforces the following two drafts of the IETF:

Draft:	"Definition of the inetOrgPerson LDAP Object Class"
URL:	http://ietf.org/rfc/rfc2798.txt

Draft:	"Referrals and Knowledge References in LDAP Directories"
URL:	http://www.ietf.org/proceedings/99nov/I-D/draft-ietf-ldapext-knowledge-00.txt

Proprietary Oracle Internet Directory Schema Elements

Oracle Internet Directory's proprietary schema includes attributes and object classes in these categories:

• Access Control

• Replication

• Oracle Internet Directory Configuration

• SSL

• Audit Log

• Configuration Set Entry Attributes

In addition, Oracle Internet Directory installation includes schema elements that enable specific Oracle products to use Oracle Internet Directory. For information about these schema elements, see the documentation for the specific Oracle product.

Access Control

Attributes	orclEntryLevelACI, orclACI
Object Class	orclPrivilegeGroup

Replication

Attributes	orclGUID, changeNumber changeType, changes, orclParentGUID, server, supplier, consumer, orclReplBindDN, orclReplBindPassword, changeLog, changeStatus, orclChangeRetryCount, orclPurgeSchedule, orclDirReplGroupAgreement, orclAgreementId, orclSupplierReference,orclConsumerReference, orclReplicationProtocol, orclUpdateSchedule, targetDN, orclExcludedNamingcontexts, orclDirReplGroupDSAs
Object class	changeLogEntry, changeStatusEntry, orclReplAgreementEntry

Oracle Internet Directory Configuration

Attributes	orcldebugflag, orclMaxCC, orclDBType, orclSuffix, orclDITRoot, orclSuName, orclSuPassword, orclSizeLimit, orclTimeLimit, orclGuName, orclGuPassword, orclServerProcs, orclconfigsetnumber, orclhostname, orclIndexedAttribute, orclCatalogEntryDN, orclServerMode, orclPrName, orclPrPassword, orclUseEncrypt, orclDirectoryVersion
Object class	subconfig, orclConfigSet, orclLDAPSubConfig, orclREPLSubConfig, orclcontainerOC, subregistry, orclLDAPInstance, orclREPLInstance, orclIndexOC, orcleventLog, orclEvents

SSL

Note: These attribute values are stored as part of configuration entries.

Attributes

orclsslAuthentication, orclsslEnable, 'orclsslWalletURL, orclsslWalletPasswd, orclsslPort, orclsslVersion

Audit Log

Attributes	orclServerEvent, orcleventtype, orclauditattribute, orclauditmessage, orcleventtime, orcluserdn, orclSequence, orclAuditLevel, orclOpResult
Object class	OrclAuditOC

Configuration Set Entry Attributes

The following table lists and describes the entire set of configuration set entry attributes that are used to configure an instance of a directory server.

Parameter	Description
orcldebugflag	Debug level associated with this instance of the server. The default for configset0 is 0. The range is 0 to 65535.
orclmaxcc	Maximum number of concurrent database connections. The default for configset0 is 10. You cannot use a negative value for this attribute.
orclserverprocs	Number of server processes to start. The default for configset0 is 1. You cannot use a negative value for this attribute.
orclsslport	SSL mode default port (default 636). When you run the directory in the secure mode, it listens at default port 636 and accepts only SSL-based TCP/IP connections. (When you run the directory in the normal mode, it listens at default port 389, accepting normal TCP/IP connections.) You might want to change this port when you add multiple LDAP server instances.
orclnonsslport	Non-SSL mode default port (default 389).
orclsslenable	Flag for toggling SSL on and off. You would want to toggle this flag when you use different instances of the same server for either SSL or non-SSL. You may use either of the following two values: 0 = disables SSL (default in configuration set0) 1 = enables SSL The default is 0.
orclsslauthentication	Flag, with values of 1, 32, or 64, for specifying the type of authentication you elect to use for each instance of the Oracle directory server. The default value, 1, specifies no authentication. You can run different values concurrently for different instances. Values of one-way and two-way authentication require wallets. You may use one of the following three values: 1 = no SSL authentication 32 = one-way SSL authentication (the server sends its certificate to the client) 64 = two-way SSL authentication (client and server send certificates to each other)
orclsslwalleturl	Sets the location of the Oracle wallet. You initially set this value when you create the wallet. If you elect to change the location of the Oracle wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on Solaris, you could set this parameter as follows: orclsslwalleturl=file:/Home/my_dir/ On Windows NT, you could set this parameter as follows: file:Home\my_dir\
orclsslwalletpasswd	Password used by the server to open its wallet. You initially set this value when you create the wallet. If you elect to change the wallet password, you must change this parameter. You must set the wallet password on both the client and the server.
orclsslversion	SSL version. The default is 3.

See Also: "Setting Debug Logging Levels by Using the OID Control Utility" for information on debug levels Appendix D, "Using Oracle Wallet Manager" for information on setting the location of the Oracle Wallet and the Oracle Wallet password

LDAP Syntax

Syntax defines the type of values that an attribute can hold. Oracle Internet Directory recognizes most of the syntax specified in RFC 2252, that is, it allows you to associate most of the syntax described in that document with an attribute. In addition to recognizing most LDAP syntax, Oracle Internet Directory enforces some LDAP syntax.

This section covers topics in the following subsections:

• LDAP Syntax Enforced by Oracle Internet Directory

• Commonly Used LDAP Syntax Recognized by Oracle Internet Directory

• Additional LDAP Syntax Recognized by Oracle Internet Directory

• Size of Attribute Values

LDAP Syntax Enforced by Oracle Internet Directory

Oracle Internet Directory enforces LDAP syntax for the following:

• DN

• Facsimile Telephone Number

• OID (object identifier)

• Telephone Number

  Note: The values you specify for these attributes must conform to the syntax specified in RFC 2252.

Commonly Used LDAP Syntax Recognized by Oracle Internet Directory

The following LDAP syntax is more commonly used:

Attribute Type Description	Numeric String
Boolean	Object Class Description
Certificate	Octet String
Directory String	OID
DN	Presentation Address
Facsimile Telephone Number	Printable String
INTEGER	Telephone Number
JPEG	UTC Time
Name And Optional UID

Additional LDAP Syntax Recognized by Oracle Internet Directory

In addition to the commonly used LDAP syntax defined above, Oracle Internet Directory recognizes LDAP syntax for the following:

Access Point	LDAP Schema Description
ACI Item	LDAP Syntax Description
Audio	Mail Preference
Binary	Master And Shadow Access Points
Bit String	Matching Rule
Certificate List	Matching Rule Use Description
Certificate Pair	MHS OR Address
Country String	Modify Rights
Data Quality Syntax	Name Form Description
Delivery Method	Object Class Description
DIT Content Rule Description	Octet String
DIT Structure Rule Description	Other Mailbox
DL Submit Permission	Postal Address
DSA Quality Syntax	Protocol Information
DSE Type	Substring Assertion
Enhanced Guide	Subtree Specification
Fax	Supplier And Consumer
Generalized Time	Supplier Information
Guide	Supplier Or Consumer
IA5 String	Supported Algorithm
LDAP Schema Definition	Teletex TerminalIdentifier
	Telex Number

Size of Attribute Values

Syntax does not put any specific size constraint on attribute values. You can, however, use syntax to specify the size of the attribute value. Oracle Internet Directory does not enforce the 'len' characteristics on the attribute.

For example, to limit an attribute foo to a size of 64, you would define the attribute as follows:

(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 
'object_identifier_of_syntax{64}')

See Also: Section 4.1.6 f of RFC2251 for more information on Attribute Value. You can find this RFC at the following URL: http://www.ietf.org/rfc/rfc2251.txt.

Matching Rules

Oracle Internet Directory recognizes the following matching rules definitions in the schema.

accessDirectiveMatch	IntegerMatch
bitStringMatch	numericStringMatch
caseExactMatch	objectIdentifierFirstComponentMatch
caseExactIA5Match	ObjectIdentifierMatch
caseIgnoreIA5Match	OctetStringMatch
caseIgnoreListMatch	presentationAddressMatch
caseIgnoreMatch	protocolInformationMatch
caseIgnoreOrderingMatch	telephoneNumberMatch
distinguishedNameMatch	uniqueMemberMatch
generalizedTimeMatch
generalizedTimeOrderingMatch

Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:

distinguishedNameMatch

caseExactMatch

caseIgnoreMatch

numericStringMatch

IntegerMatch

telephoneNumberMatch