"Universal Schema Reference": About Schema

Complete Contents
Object Class Index
Attribute Index
Schema Supported by Directory Server 4.0
LDAP Overview
Object Classes
Attributes
Object Identifiers (OIDs)
Extending Server Schema
Schema Checking
ISO Country Codes
Sources of Related Information

Contents

Object Class Index

Attributes Index

Chapter 1 About Schema

Schema Supported by Directory Server 4.0

Schema files are stored in /<NSHOME>/slapd-<server ID>/config during installation (where <NSHOME> is the installation directory and <server ID> is the name given to the Directory Server instance).

Modifications to directory object classes are stored in slapd.user_oc.conf. Modifications to directory attributes are stored in slapd.user_at.conf. Modifying other schema files may result in interoperability problems.

Schema files listed here include schema supported by previous server releases.

For more information about how the Directory Server stores information and suggestions for planning directory schema, refer to the Netscape Directory Server Deployment Guide.

Table 1.1 Schema Installed with Directory Server 4.0


Schema Filename	Purpose	Described in...
ns-admin-schema.conf	Used by Netscape Administration Server 4.0 and the Netscape Mission Control Console.	Administartion Server Object Classes
ns-calendar- schema.conf	Used by Netscape Calendar Server.	Calendar Server Object Classes
ns-certificate- schema.conf	Used to identify a certificate server. netscapeCertificateServer is the sole object class.	Directory Server Object Classes
ns-common- schema.conf	Contains objects classes and attributes common to the Netscape Mission Control Framework.	Administration ServerObject Classes
ns-compass- schema.conf	Used by Netscape Compass Server to define personal interest profiles.	Compass Server Object Classes
ns-delegated-admin- schema.conf	Used by Netscape Delegated Administrator 1.0	Delegated Administrator Object Classes
ns-directory- schema.conf	Used to identify a Directory Server. netscapeDirectoryServer is the sole object class. (Directory server object classes are stored in slapd.oc.conf. Directory Server attributes are stored in slapd.at.conf. )	Directory Server Object Classes
ns-legacy-schema.conf	Used by Netscape Administration Server for legacy servers.	Administration Server Object Classes
ns-mail-schema.conf	Used by Messaging Server to define mail users and mail groups.	Messaging Server Object Classes
ns-mcd-browser- schema.conf	Used by Mission Control Desktop to hold browser client preferences.	Mission Control Desktop Object Classes
ns-mcd-config- schema.conf	Used by Mission Control Desktop to set MCD "config()" preferences.	Mission Control Desktop Object Classes
ns-mcd-li-schema.conf	Used by Mission Control Desktop to define location independence.	Mission Control Desktop Object Classes
ns-mcd-mail- schema.conf	Used by Mission Control Desktop to hold mail client preferences and messenger security preferences.	Mission Control Desktop Object Classes
ns-media-schema.conf	Used to identify a media server. netscapeMediaServer is the sole object class.	Directory Server Object Classes
ns-mlm-schema.conf	Used by Messaging Server 4.0 for mailing list management.	Messaging Server Object Classes
ns-msg-schema.conf	Used by Netscape Messaging Server 4.0	Mesaging Server Object Classes
ns-netshare- schema.conf	Used by Netscape Enterprise and FastTrack servers. This schema is for enabling netshare user accounts or user projects, and for enabling creation and maintenance of netshare projects using a project management utility CGI.	Enterprise Server Object Classes
ns-news-schema.conf	Used by Netscape Compass Server to hold news group preferences.	Compass Server Object Classes
ns-proxy-schema.conf	Used to identify a proxy server. netscapeProxyServer is the sole object class.	Directory Server Object Classes
ns-value-schema.conf	Schema used for defining schemaless configuration for LDAP.	not provided
ns-web-schema.conf	Used to identify an HTTP server. netscapeWebServer is the sole object class.	Enterprise Server Object Classes
slapd.at.conf	Includes X.500 user schema for use with LDAP, LDAP attributes defined by the IETF, pilot X.500 schema for use in LDAPv3, and Netscape-defined attributes	Object class Object Classes
slapd.oc.conf	Contains standard object classes expected to be present in Directory Server 4.0 unchanged. Modifying this file will cause interoperability problems. User defined ObjectClasses should be added by selecting Schema \| Create ObjectClasses from the Netscape Caonsole. User-defined objectClasses are saved in slapd.user_oc.conf.	Directory Server Object Classes

LDAP Overview

What is LDAP?
Netscape Directory Server includes object classes and object class attributes defined by the Lightweight Directory Access Protocol (LDAP) and extensions to the standard LDAP schema developed by Netscape and by the Internet Engineering Task Force (IETF) that extend the basic functionality of LDAP.

Initially developed at the University of Michigan, LDAP is a lightweight version of the X.500 Directory Access Protocol (DAP). LDAP has become an Internet standard for directory services that run over TCP/IP.

Netscape Directory Server version 3.0 and later supports LDAPv2 and LDAPv3.

How LDAP Works
One or more LDAP servers contain the data that make up the LDAP directory. An LDAP client connects to an LDAP server and submits a query to request or update directory information. As long as access rights are granted to the client, the LDAP server responds to the query. The LDAP server may also refer the query to another LDAP server for response.

An LDAP directory stores information in object-oriented hierarchies of entries. Each entry is uniquely identified by a distinguished name, or DN. the DN consists of the name of the entry plus a path of names tracing the entry back to the top of the directory hierarchy.

Object Classes

In LDAP, an object class defines the collection of attributes that can be used to define an entry. The LDAP standard provides these basic types of object classes:

Groups in the directory, including unordered lists of individual objects or groups of objects.

Locations, such as the country name and description.

Organizations in the directory.

People in the directory.

Object Class Inheritance
An entry can belong to more than one object class. For example, the entry for a person is defined by the person object class, but may also be defined by attributes in the inetOrgPerson, groupOfNames, and organization object classes

The server's object class structure (its schema) determines the total list of required and allowed attributes for a particular entry. For example, a person entry is usually defined with the following object class structure:

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgperson

In this structure, the inetOrgperson object class should not be placed on an entry until the person and organizationalPerson object classes have been defined on the entry.

Reserved Object Classes
Reserved schema includes object classes that are essential to software operation but not meant for development purposes and object classes reserved for future use. These object classes are not meant to be used to extend server functionality.

Attributes

Directory data is represented as attribute-value pairs. Any specific piece of information is associated with a descriptive attribute.

For instance, the commonName, or cn, attribute is used to store a person's name. A person named Jonas Salk can be represented in the directory as

cn: Jonas Salk

Each person entered in the directory is defined by the collection of attributes in the person object class. Other attributes used to define this entry could include:

givenname: Jonas

surname: Salk

mail: jonass@airius.com

Required and Allowed Attributes
Required attributes include the attributes that must be present in entries using the object class. All entries require the objectClass attribute, which lists the object classes to which an entry belongs.

Allowed attributes include the attributes that may be present in entries using the object class. For example, in the person object class, the cn and sn attributes are required. The description, telephoneNumber, seeAlso, and userpassword attributes are allowed but are not required.

Attribute Syntax
Each attribute has a corresponding syntax definition. The syntax definition describes the type of information provided by the attribute.

Attribute syntax is used by the Directory Server to perform sorting and pattern matching.

Table 1.2 Attribute Syntax


Syntax Method	Abbreviation	Definition
Binary	bin	Indicates that values for this attribute are binary
Boolean	boolean	Having two values: On or ff, True or False, Yes or No.
Case Exact String	ces	Indicates that values for this attribute are case sensitive.
Case Ignore String	cis	Indicates that values for this attribute are not case sensitive.
Telephone	tel	telephone number (identical to cis, but blanks and dashes (-) are ignored during comparisons).
Distinguished Name	dn	Indicates that values for this attribute are DNs.
Integer	int	Indicates that valid values for this attribute are numbers.
Operational	operational	Operational attributes are not displayed in search results.

Required and allowed attributes for each object class are included in the object class listing.

Attributes that are single-values—that is, only one instance of the attribute can be specified—are noted as such.

Object Identifiers (OIDs)

Object identifiers (OIDs) are assigned to all attributes and object classes to conform to the LDAP and X.500 standards. An OID is a sequence of integers, typically written as a dot-separated string. When no OID is specified, the Directory Server automatically uses <ObjectClass name>-oid.

The Netscape base OID is

2.16.840.1.113730

The base OID for the Netscape Directory Server is

2.16.840.1.113730.3

All Netscape-defined attributes have the base OID of

2.16.840.1.113370.3.1

All Netscape-defined object classes have the base OID of

2.16.840.1.113730.3.2

Extending Server Schema

The Directory Server schema includes hundreds of object classes and attributes that can be used to meet most Directory Server requirements. This schema can be extended with new object classes and attributes that meet evolving requirements for the directory service in the enterprise.

When adding new attributes to the schema, a new object class should be created to contain them (adding a new attribute to an existing object class can compromise the Directory Server's compatibility with existing LDAP clients that rely on the standard LDAP schema and may cause difficulties when upgrading the server).

For more information about extending server schema, refer to the Netscape Directory Server Deployment Manual.

Schema Checking

Netscape recommends running the Directory Server with schema checking turned on.

Schema checking causes the Netscape Directory Server to check new entries to verify the following:

object classes and attributes are defined in the directory schema

attributes required for an object class are contained in the entry

only attributes allowed by the object class are contained in the entry

Schema checking also occurs when entries are modified and when importing a database using LDIF. For more information, refer to the Netscape Directory Server Administration Guide.

Sources of Related Information

Table 1.3 Schema-Related Directory Server Documentation


Where to Find . . .	Look in . . .
detailed information about object classes, attributes, and how the Directory Server uses the schema	Netscape Directory Server Deployment Manual
procedures for copying or migrating schema from one server instance to another	Netscape Directory Server Installation Manua
information about extending schema	Netscape Directory Server Administration Guide
Directory Server Release 4.0 documentation on-line	http://home.netscape.com/eng/ server/directory/4.0/relnotes.html

Table 1.4 LDAP Specifications (RFCs)


Title	Summary
Lightweight Directory Access Protocol. (RFC 1777)	The protocol described in this document is designed to provide access to X.500 Directory while not incurring the resource requirements of the Directory Access Protocol (DAP).
The String Representation of Standard Attribute Syntaxes. (RFC 1778)	This document defines the encoding rules for the standard set of attribute syntaxes
A String Representation of Distinguished Names. (RFC 1779)	This specification defines a string format for representing names, which is designed to give a clean representation of commonly used names, while being able to represent any distinguished name.
Using the OSI Directory to Achieve User Friendly Naming (RFC 1781)	This proposal sets out some conventions for representing names in a friendly manner, and shows how this can be used, then specifies a standard format for representing names.
Schema Publishing in X.500 Directory (RFC 1804)	This document presents a solution to the schema distribution problem using the existing mechanisms of the directory. A naming scheme for naming schema objects and a meta-schema for storing schema objects is presented.
The LDAP Application Program Interface (RFC 1823)	This document defines a C language application program interface to the lightweight directory access protocol (LDAP). The LDAP API defines compatible synchronous and asynchronous interfaces to LDAP.
An LDAP URL Format. (RFC 1959)	This document describes a format for an LDAP Uniform Resource Locator which will allow Internet clients to have direct access to the LDAP protocol.
A String Representation of LDAP Search Filters (RFC 1960)	This document defines a human-readable string format for representing LDAP search filters.
Lightweight Directory Access Protocol (v3) (RFC 2251)	The protocol described in this document is designed to provide access to directories supporting the X.500 models, while not incurring the resource requirements of the X.500 Directory Access Protocol (DAP).
LDAPv3 Attribute Syntax Definitions (RFC 2252)	Defines a set of syntaxes for LDAPv3, and the rules by which attribute values of these syntaxes are represented as octet strings for transmission in the LDAP protocol.
UTF-8 String Representation of Distinguished Names (RFC 2253)	This specification defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name.
The String Representation of LDAP Search Filters (RFC 2254)	Some applications may find it useful to have a common way of representing these search filters in a human-readable form. This document defines a human-readable string format for representing LDAP search filters.
The LDAP URL Format (RFC 2255)	This document describes a format for an LDAP Uniform Resource Locator. The format describes an LDAP search operation to perform to retrieve information from an LDAP directory
A Summary of the X.500(96) User Schema for use with LDAPv3 (RFC 2256)	This document provides an overview of the attribute types and object classes defined by the ISO and ITU-T committees in the X.500 documents, in particular those intended for use by directory clients. This is the most widely used schema for LDAP/X.500 directories, and many other schema definitions for white pages objects use it as a basis.
An Approach for Using LDAP as a Network Information Service (RFC 2307	This document describes an experimental mechanism for mapping entities related to TCP/IP and the UNIX system into X.500 [X500] entries so that they may be resolved with the Lightweight Directory Access Protocol [RFC2251]. A set of attribute types and object classes are proposed, along with specific guidelines for interpreting them.

Table 1.5 Additional LDAP Resources


Resource	URL
More information about OIDs, or to request a prefix for your enterprise.	IANA (Internet Assigned Number Authority) website at http:// www.iana.org/iana/
Internet Engineering Task Force (IETF) home page	http://www.ietf.org/
LDAP Frequently asked questions	http://www.critical-angle.com/ldapworld/ ldapfaq.html
University of Michigan's LDAP page	http://www.umich.edu/~dirsvcs/ldap/ index.html
LDAP Resources page on Netscape's DevEdge On-line	http://devedge/tech/directory/ index.html?content=resources.html