The LDAP Schema

The Java ES installation and configuration process establishes an LDAP schema for the deployment. The LDAP schema is constructed in stages. Depending on the components in the deployment, the schema can be constructed by the Java ES installer, several of the configuration tools, and the LDAP commands.

With Java ES deployments in general, you need to specify the LDAP schema before you install and configure so that you can select the correct installation and configuration parameters. This section describes the LDAP schema for the SunWeb deployment and the installation parameters that you input to construct the schema.

The first step in specifying the schema for a deployment is to identify the services that the directory service must support. For the SunWeb deployment, the directory service must support the following basic services:

• Access Manager authentication and single sign-on for SunWeb portal users

• Proxy authentication for Sun employees who access the corporate mail and calendar services through their portal desktops

• Control of employee access to portal content

These requirements lead to a relatively simple schema for the SunWeb LDAP directory. To support Access Manager, the schema must be brought up to Schema 2.

Java ES solutions that use Directory Server can use either of two versions of a Sun standard LDAP schema for messaging and calendaring, which are known as Schema 1 and Schema 2. Schema 2 natively supports Access Manager and Access Manager’s single sign-on feature.

To support control of employee access to portal content, a number of object classes and attributes that correspond to the different types of portal content must be added to the schema. Access Manager uses these object classes and attributes to determine which types of content each user is allowed to view.

The installation and configuration process constructs the schema for the SunWeb deployment as follows:

1. Installing Directory Server creates the basic schema.

2. Installing Access Manager applies Schema 2 to the directory.

   Directory Server must be installed before Access Manager, and the Directory Server instances must be running while the Access Manager instances are installed.

3. Adding the object classes and attributes that identify portal services and portal desktop configuration prepares the directory for use in the SunWeb deployment.

   Some of the attributes used in the SunWeb schema make use of Directory Server's filtered role feature. The roles are associated with portal display profiles that specify the personalized content for a portal user based on several attributes.