This chapter explains how to administer the Oracle Internet Directory object classes and attributes.
This chapter contains these topics:
About the Directory Schema
A directory schema does the following:
- Contains rules about the kinds of objects you can store in the directory
- Contains rules for how directory servers and clients treat information during operations such as a search
- Helps to maintain the integrity and quality of the data stored in the directory
- Reduces duplication of data
- Provides a predictable way for directory-enabled applications to access and modify directory objects
The directory schema contains all information about how data is organized in the DIT. It includes attribute types, and the syntaxes and matching rules that apply to them. It also contains the various groupings of attributes, called object classes.
This chapter discusses each of these elements.
About Object Class Management
This section explains how to add and modify an object class. Oracle Corporation recommends that you understand the basic concepts of directory components before attempting to add to or modify the base schema in the directory.
This section contains these topics:
Guidelines for Adding Object Classes
When you add directory entries, you select object classes for those entries. The attributes of an entry are determined by the object classes to which that entry is assigned.
Entries must be loaded in a top-down sequence. When you add an entry, all of its parent entries must already exist in the directory. Similarly, when you add entries that reference object classes and attributes, those referenced object classes and attributes must already exist in the directory schema. In most cases this will not be a problem since the directory server is delivered with a full set of standard directory objects.
Note:
Every schema object in the Oracle Internet Directory has certain limitations. For example, some objects cannot be changed. These limitations are explained as constraints and rules in this chapter.
|
The attributes that entries inherit from an object class may be either mandatory or optional. Optional attributes need not be present in the directory entry.
You can specify for any object class whether an attribute is mandatory or optional; however, the characteristic you specify is binding only for that object class. If you place the attribute in another object class, you can again specify whether the attribute is mandatory or optional for that object class. You can:
- Select from existing standard object classes
- Add a new, non-standard object class and assign it existing attributes
- Modify an existing object class, assigning it a different set of attributes
- Add and modify existing attributes
Administrators typically assign object classes to entries based on the attributes present in that object class. However, a superclass lets you take advantage of inheritance--that is, the object classes selected for an entry have a hierarchy of superclasses from which they inherit mandatory and optional attributes. By default, all object classes inherit from the top
object class.
When you add or perform an operation on an entry, you do not need to specify the entire hierarchy of superclasses associated with that entry. This feature, called object class explosion, enables you to specify only the leaf object classes. Oracle Internet Directory resolves the hierarchy for the leaf object classes and enforces the information model constraints. For example, the inetOrgPerson
object class has top
, person
and organizationalPerson
as its superclasses. When you create an entry for a person entry, you need to specify only inetOrgPerson
as the object class. Oracle Internet Directory then enforces the schema constraints defined by the respective superclasses, namely, top
, person
, and organizationalPerson
.
When you add object classes, keep the following guidelines in mind:
- Every structural object class must have
top
as a superclass.
- The name and the object identifier of an object class must be unique across all the schema components.
- Schema components referred to in the object class, such as superclasses, must already exist.
- The superclass of an abstract object class must be abstract also.
- It is possible to redefine mandatory attributes in a superclass into optional attributes in the new object class. Conversely, optional attributes in a superclass can be redefined into mandatory attributes in the new object class.
Guidelines for Modifying Object Classes
This section discusses the types of modifications you can make to an existing object class. You can perform modifications through Oracle Directory Manager and through the command-line tools.
You can make these changes to an object class:
- Change a mandatory attribute into an optional attribute
- Add optional attributes
- Add additional superclasses
- Convert abstract object classes into structural or auxiliary object classes unless the abstract object class is a superclass to another abstract object class
When you modify object classes, keep these guidelines in mind:
- You cannot modify an object class that is part of the standard LDAP schema. You can, however, modify user-defined object classes. Also, if existing object classes do not have the attributes you need, you can create an auxiliary object class and associate the needed attributes with it.
- You cannot add additional mandatory attributes to an existing object class.
- You cannot modify object classes in the base schema.
- You cannot remove attributes or superclasses from an existing object class.
- You cannot convert structural object classes to other object class types.
- You should not modify an object class if there are entries already associated with it.
Guidelines for Deleting Object Classes
There are also some limitations on deleting object classes:
- You cannot delete object classes from the base schema.
- You can delete object classes that are not in the base schema as long as they are not directly or indirectly referenced by other schema components. For example, there may be some directory entries referring to these object classes. Deleting these object classes renders these entries inaccessible.
Note:
Oracle Internet Directory does not enforce these rules. They are provided here as guidelines.
|
Managing Object Classes by Using Oracle Directory Manager
This section contains these topics:
Searching for Object Classes by Using Oracle Directory Manager
You can specify your search for an object class by:
- Selecting an object class property, for example, a name or an object identifier
- Entering a value for the property you selected
- Selecting a search filter specifying the relationship between the object class property you selected and the value you entered, for example, Begins With or Exactly Matches
This section provides more details on how to enter an object class search.
To search for an object class:
- In the navigator pane, select Schema Management. The Schema Management tab pages appear in the right pane.
- Click the Find Object Classes button at the lower right of the right pane, or, from the menu bar, click Edit > Find Object Classes. The Find: Object Classes dialog box appears.
- In the menu farthest to the left on the search criteria bar, select the property of the object class for which you want to search. Options are:
Note:
Not all attributes are used in every object class. Be sure that the attribute you specify actually corresponds to one in the object class for which you are looking. Otherwise, the search will fail.
|
- In the menu in the middle of the search criteria bar, select the filter you want to use for your search. Options are:
- In the text box at the right end of the search criteria bar, type the value of the property of the object class for which you are searching. For example, to search for all object classes in which the name of the object class begins with the letters
orcl
, type those letters in the text box at the right end of the search criteria bar.
- Below the Search Criteria field are five buttons described in the next table. Use these buttons to further refine your search.
- Click Search. The results of your search appear in the window at the lower portion of the Find:Object Class dialog box.
Viewing Properties of Object Classes by Using Oracle Directory Manager
To view all object classes in the schema:
- In the navigator pane, expand Schema Management. The tabs in the Schema Management pane display the components of the schema:
- Object classes
- Attributes
- Syntaxes
- Matching Rules
- In the right pane, select the Object Classes tab page.
To examine an individual object class and its attributes, in the Object Classes tab page, click the object class. The properties of the selected object class appear in the Object Class dialog box.
- In the Object Class dialog box:
- Object classes from which attributes may be inherited are listed in the Super Class box
- Mandatory attributes are listed in the Mandatory Attributes box
- Optional attributes are listed in the Optional Attributes box
Each box indicates whether the attributes are indexed so that they can be used in a search expression.
Adding Object Classes by Using Oracle Directory Manager
To add object classes by using Oracle Directory Manager:
- In the navigator pane, expand Oracle Internet Directory Servers > directory server, then select Schema Management.
- Choose one of the following methods:
- In the right pane, select the Object Classes tab and click the Create button in the toolbar.
- Click the Create button at the bottom of the right pane.
- From Operations menu, select Create Object Class.
The New Object Class dialog box appears.
Alternatively, select an object class that is similar to one you would like to create, and then click Create Like. A dialog box appears; it includes the attributes of the selected object class. You can create the new object class using the selected one as a template.
- Enter the information in the fields described in the following table:
- Click OK.
Modifying Object Classes by Using Oracle Directory Manager
To modify an object class:
- In the navigator pane, select Schema Management, then select the Object Classes tab.
- In the Object Classes tab page, double-click the object class you want to modify. The Object Class dialog box appears.
- Modify or add the information in the fields described in the following table.
- Click OK.
Deleting Object Classes by Using Oracle Directory Manager
Caution:
Oracle Corporation recommends that you not delete object classes from the schema.
Should you decide to delete an object class, be careful not to delete one that is in use or that you might want to use in the future. If you delete an object class that is referenced by any entries, those entries then become inaccessible.
|
To delete an object class by using Oracle Directory Manager:
- In the navigator pane, select Schema Management.
- In the right pane, select the Object Classes tab and select the object class you want to delete.
- Click Delete.
Managing Object Classes by Using Command-Line Tools
You can use command-line tools to add or modify existing object classes in the directory schema. The command-line tools enable you to use input files. Furthermore, the commands can be batched together in scripts.
To add or modify schema components, use ldapmodify.
This section contains these examples:
Example: Adding a New Object Class
In this example, an LDIF input file, new_object_class.ldi
, contains data similar to this:
dn: cn=subschemasubentry
changetype: modify
add: objectclasses
objectclasses: ( 1.2.3.4.5 NAME 'myobjclass' SUP top STRUCTURAL MUST ( cn $
sn ) MAY ( telephonenumber $ givenname $ myattr ) )
Be sure to leave the mandatory space between the opening and closing parentheses and the object identifier.
To load the file, enter this command:
ldapmodify -h myhost -p 389 -f new_object_class.ldi
This example adds the structural object class named myobjclass
, giving it an object identifier of 1.2.3.4.5
, specifying top as its superclass, requiring cn
and sn
as mandatory attributes, and allowing telephonenumber
, givenname
, and myattr
as optional attributes. Note that all the attributes mentioned must exist prior to the execution of the command.
To create an abstract object class, follow the previous example, replacing the word STRUCTURAL
with the word ABSTRACT
.
Example: Adding a New Attribute to an Auxiliary or User-Defined Object Class
To add a new attribute to either an auxiliary object class or a user-defined structural object class, use ldapmodify. This example deletes the old object class definition and adds the new definition in a compound modify operation. The change is committed by the Oracle directory server in one transaction. Existing data is not affected. The input file should be as follows:
dn: cn=subschemasubentry
changetype: modify
delete: objectclasses
objectclasses: old value
-
add: objectclasses
objectclasses: new value
For example, to add the attribute changes
to the existing object class country
, the input file would be:
dn: cn=subschemasubentry
changetype: modify
delete: objectclasses
objectclasses: ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c MAY
( searchGuide $ description ) )
-
add: objectclasses
objectclasses: ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c MAY
( searchGuide $ description $ changes ) )
About Attribute Management
This section contains these topics:
You need to understand attributes from a conceptual standpoint before attempting operations involving attributes.
In most cases, the attributes available in the base schema will suit the needs of your organization. However, if you decide to use an attribute not available in the base schema, you can add a new attribute or modify an existing one.
By default, attributes are multi-valued. You can specify an attribute as single-valued by using either Oracle Directory Manager or command-line tools.
See Also:
"Attributes" for a conceptual discussion of attributes
|
Rules for Adding Attributes
The rules for adding attributes are:
- The name and the object identifier of an attribute must be unique across all the schema components.
- Syntax and matching rules must agree.
- Any super attributes must already exist.
Rules for Modifying Attributes
The rules for modifying attributes are:
- The name and the object identifier of an attribute must be unique across all the schema components.
- The syntax of an attribute cannot be modified.
- A single-valued attribute can be made into multi-valued, but a multi-valued attribute cannot be made single-valued.
- You cannot modify or delete base schema attributes.
Rules for Deleting Attributes
The rules for deleting attributes are:
Managing Attributes by Using Oracle Directory Manager
This section contains these topics:
Viewing All Directory Attributes by Using Oracle Directory Manager
To view attributes by using Oracle Directory Manager:
- In the navigator pane, expand Oracle Internet Directory Servers > directory server instance, then select Schema Management.
- In the right pane, select the Attributes tab. This tab page displays a table containing the attribute properties. The following table describes each column of the table in the Attributes tab page.
Searching for Attributes by Using Oracle Directory Manager
To search for attributes by using Oracle Directory Manager:
- In the navigator pane, select Schema Management. The Schema Management tab pages appear in the right pane.
- Select the Attributes tab page.
- Click the Find Attributes button in the lower right corner. The Find Attributes dialog box appears
- In the menu at the left end of the search criteria bar, select the property of the attributes for which you want to search. Options are:
- In the menu in the middle of the search criteria bar, select the filter you want to use for your search. Options are:
- In the text box at the right end of the search criteria bar, type part or all of the value of the attribute for which you want to search. For example, to search for all attributes whose names begin with the letters
orcl
, you would type those letters in the text box at the right end of the search criteria bar and create the phrase Name Begins With orcl
.
- Beneath the Search Criteria field are five buttons described in the following table. Use these buttons to further refine your search.
- Click Search. The results of your search appear in the window at the lower portion of the Find: Attributes dialog box.
Adding an Attribute by Using Oracle Directory Manager
You can add a completely new attribute, or copy from an existing one.
Tip:
Because equality, syntax, and matching rules are numerous and complex, it may be simpler to copy these characteristics from a similar existing attribute.
|
Adding a New Attribute by Using Oracle Directory Manager
To add a new attribute:
- In the navigator pane, expand Oracle Internet Directory Servers > directory server, then select Schema Management.
- Do one of the following:
- In the right pane, select the Attributes tab, then click the Create button in the toolbar.
- In the right pane, select the Attributes tab, then click the Create button at the bottom of the Attributes tab page.
- From the Operation menu, select Create Attribute. The New Attribute Type dialog box appears. It contains two tab pages--General and Advanced--with fields in which you either enter values or select from menus.
- In the General tab, enter values in each of the fields as described in the following table:
- Select the Advanced tab. Enter values in each of the fields as described in the following table.
- Click OK.
Note:
To use this attribute, remember to declare it to be part of the attribute set for an object class. You do this by selecting Schema Management in the navigator pane, then, in the right pane, selecting the Object Classes tab page. For further instructions, see "Guidelines for Modifying Object Classes".
|
Creating a New Attribute from an Existing One by Using Oracle Directory Manager
To add an attribute by copying an existing attribute:
- In the navigator pane, select Schema Management.
- In the right pane, select the Attributes tab.
- In the Attributes tab page, select the attribute you want to copy.
- Click the Create Like button at the bottom of the right pane. The New Attribute Type dialog box for that attribute appears. This dialog box contains two tab pages--General and Advanced--with fields in which you enter values either by typing or selecting from menus.
- Select the General tab and enter values in each of the fields as described in the following table. You must always change the DN to that of the new attribute.
- Select the Advanced tab and enter values in each of the fields as described in the following table.
- Click OK.
Modifying an Attribute by Using Oracle Directory Manager
To modify an attribute by using Oracle Directory Manager:
- In the navigator pane, select Schema Management.
- In the right pane, select the Attributes tab, then select an editable attribute in the list.
- Click Edit. The Attribute dialog box displays two tab pages--General and Advanced--with fields in which you enter values either by typing or selecting from menus.
- Select the General tab and enter values in each of the fields as described in the following table.
- Select the Advanced tab and enter values in each of the fields as described in the following table.
- Click OK.
Deleting an Attribute by Using Oracle Directory Manager
Note:
You can delete only user-defined attributes. Do not delete attributes from the base schema.
|
To delete an attribute:
- In the navigator pane, select Schema Management.
- In the right pane, select the Attributes tab, then select an editable attribute in the list.
- Click Delete.
Indexing an Attribute by Using Oracle Directory Manager
Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, certain attributes are already indexed. If you want to use additional attributes in search filters, you must index them.
Note:
You can use Oracle Directory Manager to index an attribute only at the time when you create it. You cannot use Oracle Directory Manager to index an already existing attribute. To index an already existing attribute, use the Catalog Management tool as described in "Indexing an Attribute by Using Command-Line Tools".
You can index only those attributes that have:
- An equality matching rule
- Matching rules supported by Oracle Internet Directory as listed in "Matching Rules"
- Less than 28 characters in their names
|
Viewing Indexed Attributes by Using Oracle Directory Manager
To view indexed attributes:
- In the navigator pane, select Schema Management.
- In the right pane, select the Attributes tab. The Attributes tab displays all of the attributes in the schema. A selected check box in the Indexed column indicates an indexed attribute.
Adding an Index to an Attribute by Using Oracle Directory Manager
When you create an attribute as described in "Adding an Attribute by Using Oracle Directory Manager", you use the New Attribute Type dialog box. On the Advanced tab page of that dialog box, you select the Indexed check box.
Dropping an Index from an Attribute by Using Oracle Directory Manager
To drop an index from an attribute:
- In the navigator pane, select Schema Management.
- In the right pane, select the Attributes tab.
- Select the indexed attribute. Note that this must be an attribute that is editable as indicated by the icon to the left of the attribute name.
- Click Drop Index.
Managing Attributes by Using Command-Line Tools
This section discusses adding, modifying, and indexing attributes by using command-line tools. This section contains these topics:
Adding and Modifying Attributes by Using ldapmodify
To add a new attribute to the schema by using ldapmodify, type a command similar to the following at the system prompt:
ldapmodify -h host -p port -f ldif_filename
The LDIF file contains data similar to this:
dn: cn=subschemasubentry
changetype: modify
add: attributetypes
attributetypes: ( 1.2.3.4.5 NAME 'myattr' SYNTAX
'1.3.6.1.4.1.1466.115.121.1.38' )
You can find a given syntax Object ID by using either Oracle Directory Manager or the ldapsearch command line tool.
See Also:
- "ldapmodify Syntax" for a detailed explanation of ldapmodify and its options
- "Viewing Syntaxes" for instructions on how to view syntaxes by using either Oracle Directory Manager or ldapsearch
|
Deleting Attributes by Using ldapmodify
Note:
You can delete only user-defined attributes. Do not delete attributes from the base schema.
|
To delete an attribute by using ldapmodify, type a command similar to the following at the system prompt:
ldapmodify -h host -p port -f ldif_filename
The LDIF file contains data similar to this:
dn: cn=subschemasubentry
changetype: modify
delete: attributetypes
attributetypes: ( 1.2.3.4.5 NAME 'myattr' SYNTAX
'1.3.6.1.4.1.1466.115.121.1.38' )
You can find a given syntax Object ID by using either Oracle Directory Manager or the ldapsearch command line tool.
See Also:
- "ldapmodify Syntax" for a detailed explanation of ldapmodify and its options
- "Viewing Syntaxes" for instructions on how to view syntaxes by using either Oracle Directory Manager or ldapsearch
|
Indexing an Attribute by Using Command-Line Tools
Oracle Internet Directory uses indexes to make attributes available for searches. When Oracle Internet Directory is installed, the entry cn=catalogs
lists available attributes that can be used in a search.
If you want to use additional attributes in search filters, you must add them to the catalog entry. You can index only those attributes that have:
- An equality matching rule
- Matching rules supported by Oracle Internet Directory as listed in "Matching Rules"
- No more than 28 characters in their names
You can index a new attribute--that is, one for which no data exists in the directory--by using ldapmodify. You can index an attribute for which data already exists in the directory by using the Catalog Management tool. You can drop an index from an attribute by using ldapmodify, but Oracle Corporation recommends that you use the Catalog Management tool.
Indexing an Attribute for Which No Data Exists by Using ldapmodify
Once you have defined a new attribute in the schema, you can add it to the catalog entry by using ldapmodify.
To add an attribute for which no directory data exists by using ldapmodify, import an LDIF file by using ldapmodify. For example, to add a new attribute foo
that has already been defined in the schema, import the following LDIF file by using ldapmodify:
dn: cn=catalogs
changetype: modify
add: orclindexedattribute
orclindexedattribute: foo
You should not use this method to index an attribute for which data exists in the directory. To index such an attribute, use the Catalog Management tool.
Dropping an Index from an Attribute by Using ldapmodify
To drop an index from an attribute by using ldapmodify, specify delete
in the LDIF file. For example:
dn: cn=catalogs
changetype: modify
delete: orclindexedattribute
orclindexedattribute: foo
Indexing an Attribute for Which Data Exists by Using the Catalog Management Tool
Use the Catalog Management tool to index an attribute for which data already exists and to drop an index from an attribute.
Note:
Be careful not to use the catalog.sh -delete option to remove indexes on attributes unless you are absolutely sure that the indexes were not created by the base schema that was installed with Oracle Internet Directory. Removing indexes from base schema attributes can adversely impact the operation of Oracle Internet Directory.
|
Viewing Matching Rules
This section contains these topics:
Viewing Matching Rules by Using Oracle Directory Manager
- In the navigator pane, expand Oracle Internet Directory Servers > directory server instance, then select Schema Management.
- In the right pane, select the Matching Rules tab. The fields in this tab page are shown as column heads. They are:
Viewing Matching Rules by Using ldapsearch
Use ldapsearch on the subentry cn=subSchemaSubentry
.
Viewing Syntaxes
This section contains these topics:
Viewing Syntaxes by Using Oracle Directory Manager
To view syntaxes by using Oracle Directory Manager:
- In the navigator pane, select Schema Management.
- In the right pane, select the Syntaxes tab. The fields in this tab page are shown as column heads. They are:
- Description--Name of the attribute syntax
- Object ID--Unique identifier of this syntax
Viewing Syntaxes by Using by Using ldapsearch
Use ldapsearch on the subentry cn=subSchemaSubentry
.