iPlanet Directory Server Schema Reference: Chapter 1 About Schema

Previous Contents Index DocHome Next

iPlanet Directory Server Schema Reference

Chapter 1 About Schema

This chapter provides an overview of some of the basic concepts of the directory schema, and lists the files in which the schema is described. It describes object classes, attributes and Object Identifiers (OIDs), and briefly discusses extending server schema and schema checking.

Schema Definition

The directory schema is a set of rules that defines how the data can be stored in the directory. The data is stored in the form of directory entries. Each entry is a set of attributes and their values. Each entry must have an object class. The object class specifies the kind of object the entry describes and defines the set of attributes it contains. The schema defines the type of entries allowed, their attribute structure and the syntax of the attributes. The schema can be modified and extended if it does not meet your required needs.
To find detailed information about object classes, attributes, and how the Directory Server uses the schema, please refer to the iPlanet Directory Server Deployment Guide.

Object Classes

In LDAP, an object class defines the set of attributes that can be used to define an entry. The LDAP standard provides some basic types of object classes, including:

Groups, including unordered lists of individual objects or groups of objects.

Locations, such as the country name and description.

Organizations.

People.

Devices.
Object classes may be subdivided into three types:

Structural: indicates the attributes that the entry may have and where each entry may occur in the DIT. This object class represents the corresponding real world object. Entries must belong to a structural object class, so most object classes are structural object classes.

Auxiliary: indicates the attributes that the entry may have. Does not represent a real world object, but represents additional attributes that can be associated with some structural object class to supplement its specification. Each entry, while belonging to only a single structural object class, may belong to zero or more auxiliary object classes.

Abstract: defined purely for the purpose of serving as a superclass or template for other (structural) object classes. It is a way of conveniently collecting together a set of attributes which it is known will be common to a set of structural object classes, in order that these classes may be derived as subclasses of the abstract class rather than being defined from scratch. Note that an entry may not belong to an abstract object class.
Note that the Directory Server currently does not distinguish between structural and auxiliary object classes.

Required and Allowed Attributes

Every object class includes a number of required attributes and of allowed attributes. Required attributes include the attributes that must be present in entries using the object class. All entries require the objectClass attribute, which defines the object classes assigned to the entry.
Allowed attributes include the attributes that may be present in entries using the object class.
Example: Object Class = person
Required Attributes

objectClass
cn (common name)
sn (surname)

Allowed Attributes

description
seeAlso
telephoneNumber
userPassword

Object Class Inheritance

Each entry should be assigned to one structural object class. All object classes inherit from top. They can also inherit from other object classes. The server's object class structure determines the list of required and allowed attributes for a particular entry. For example, a person entry is usually defined with the following object class structure:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson

In this structure, the inetOrgperson inherits from the organizationalPerson and person object classes. Therefore, when you assign the inetOrgperson object class to an entry, it automatically inherits the required and allowed attributes from the superior object class.
Note: Object class inheritence is dependant on the order in which the object classes appear in the .ldif file. The order in which object classes appear in the .ldif file must be consistent with the object class heirarchy, otherwise the server will not start. An object class which inherits from another object class must therefore appear after this object class in the .ldif file.

Attributes

Directory data is represented as attribute-value pairs. Any piece of information in the directory is associated with a descriptive attribute.
For instance, the commonName, or cn, attribute is used to store a person's name. A person named Barbara (Babs) Jensen can be represented in the directory as

cn: Babs Jensen

Each person entered in the directory can be defined by the collection of attributes in the inetorgperson object class. Other attributes used to define this entry could include:

givenname: Barbara
surname: Jensen
mail: bjensen@siroe.com

Attribute Syntax

Each attribute has a syntax definition that describes the type of information provided by the attribute.
Attribute syntax is used by the Directory Server to perform sorting and pattern matching.
Table 1-1 lists the different syntax methods that can be applied to attributes, and gives an OID and a definition for each syntax method.

Table 1-1    Attribute Syntax

Syntax and OID

Definition

Binary
1.3.6.1.4.1.1466.115.121.1.5

Indicates that values for this attribute are binary.

Boolean
1.3.6.1.4.1.1466.115.121.1.7

Indicates that this attribute has one of only two values: True or False.

Country String
1.3.6.1.4.1.1466.115.121.1.11

Indicates that values for this attribute are limited to exactly two printable string characters, for example fr.

DN
1.3.6.1.4.1.1466.115.121.1.12

Indicates that values for this attribute are DNs (distinguished names).

DirectoryString
1.3.6.1.4.1.1466.115.121.1.15

Indicates that values for this attribute are not case sensitive.

GeneralizedTime
1.3.6.1.4.1.1466.115.121.1.24

Indicates that values for this attribute are encoded as printable strings. The time zone must be specified. It is strongly recommended to use GMT.

IA5String
1.3.6.1.4.1.1466.115.121.1.26

Indicates that values for this attribute are case sensitive.

INTEGER
1.3.6.1.4.1.1466.115.121.1.27

Indicates that valid values for this attribute are numbers.

OctetString
1.3.6.1.4.1.1466.115.121.1.40

Same behavior as binary.

Postal Address
1.3.6.1.4.1.1466.115.121.1.41

Indicates that values for this attribute are encoded as
dstring[$ dstring]*
where each dstring component is encoded as a value with DirectoryString syntax. Backslashes and dollar characters within dstring must be quoted, so that they will not be mistaken for line delimiters. Many servers limit the postal address to 6 lines of up to thirty characters. For example:
1234 Main St.$Anytown, TX 12345$USA

TelephoneNumber
1.3.6.1.4.1.1466.115.121.1.50

Indicates that values for this attribute are in the form of telephone numbers. It is recommended to use telephone numbers in international form.

URI
1.3.6.1.4.1.250.1.57

Indicates that the values for this attribute are in the form of a URL, introduced by a string such as http://, https://, ftp, LDAP. The URI has the same behavior as IA5String. See RFC 2396.

Single-Valued and Multi-Valued Attributes

By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For example, cn, tel and objectClass are all attributes that can have more than one value. Attributes that are single-valued—that is, only one instance of the attribute can be specified—are noted as such. For example, uidNumber can only have one possible value.

Schema Supported by Directory Server 5.1

The schema provided with iPlanet Directory Server 5.1 is described in a set of files stored in the following directory:

/var/ds5/slapd-serverID/config/schema on the Solaris 9 platform

/usr/iplanet/servers/slapd-serverID/config/schema on Solaris 8 and other UNIX platforms

C:\iPlanet\Servers\slapd-serverID\config\schema on Windows platforms
You can modify the schema by creating new object classes and attributes. These modifications are stored in a separate file called 99user.ldif. You should not modify the standard files provided with the Directory Server, because you incur the risk of breaking compatibility with other iPlanet products, or of causing interoperability problems with directory servers from other vendors than iPlanet.
For more information about how the Directory Server stores information and suggestions for planning directory schema, refer to the iPlanet Directory Server Deployment Guide.
The following tables list the schema files that are provided with iPlanet Directory Server. Table 1-2 lists the schema files that are used by the Directory Server. Table 1-3 lists the schema files that are used by other iPlanet products.

Table 1-2    Schema Files used by Directory Server

Schema Filename

Purpose

00core.ldif

Recommended core schema from the X.500 and LDAP standards (RFCs), and schema used by the Directory Server itself

05rfc2247.ldif

Schema from RFC 2247 and related pilot schema "Using Domains in LDAP/X.500 Distinguished Names"

05rfc2927.ldif

Schema from RFC 2927 "MIME Directory Profile for LDAP Schema"

10rfc2307.ldif

Schema from RFC 2307 "An Approach for Using LDAP as a Network Information Service"

20subscriber.ldif

Common schema elements for iPlanet-Nortel subscriber interoperability

25java-object.ldif

Schema from RFC 2713 "Schema for Representing Java(tm) Objects in an LDAP Directory"

28pilot.ldif

Schema from the pilot RFCs, especially RFC 1274, that is no longer recommended by iPlanet for use in new deployments.

30ns-common.ldif

Common iPlanet schema

50ns-directory.ldif

Additional schema used by iPlanet Directory Server 4.x

50ns-value.ldif

iPlanet servers "value item" schema

99user.ldif

Customer modifications to the schema

Table 1-3    Schema Files used by other iPlanet Products

Schema Filenames

Purpose

50iplanet-servicemgt.ldif

iPlanet service management schema elements

50ns-admin.ldif

Schema used by iPlanet Administration Services

50ns-calendar.ldif

iPlanet Calendar Server schema

50ns-certificate.ldif

Schema for iPlanet Certificate Management System

50ns-compass.ldif

Schema for the Netscape Compass Server

50ns-delegated-admin.ldif

Schema for iPlanet Delegated Administrator 4.5

50ns-legacy.ldif

Legacy Netscape Schema

50ns-mail.ldif

Schema for iPlanet Messaging Server

50ns-mcd-browser.ldif

Schema for Netscape Mission Control Desktop - Browser

50ns-mcd-config.ldif

Schema for Netscape Mission Control Desktop - Configuration

50ns-mcd-li.ldif

Schema for Netscape Mission Control Desktop - Location Independence

50ns-mcd-mail.ldif

Schema for Netscape Mission Control Desktop - Mail

50ns-media.ldif

Schema for Netscape Media Server

50ns-mlm.ldif

Schema for iPlanet Mailing List Manager

50ns-msg.ldif

Schema for iPlanet Web Mail

50ns-netshare.ldif

Schema for iPlanet Netshare

50ns-news.ldif

Schema for iPlanet Collabra Server.

50ns-proxy.ldif

Schema for iPlanet Proxy Server

50ns-wcal.ldif

Schema for iPlanet Web Calendaring

50ns-web.ldif

Schema for iPlanet Web Server

Object Identifiers (OIDs)

Object identifiers (OIDs) are assigned to all attributes and object classes to conform to the LDAP and X.500 standards. An OID is a sequence of integers, typically written as a dot-separated string. When no OID is specified, the Directory Server automatically uses ObjectClass_name-oid and attribute_name-oid.
The Netscape base OID is 2.16.840.1.113730.
The base OID for the iPlanet Directory Server is 2.16.840.1.113730.3.
All iPlanet-defined attributes have the base OID of 2.16.840.1.113370.3.1.
All iPlanet-defined object classes have the base OID of 2.16.840.1.113730.3.2.
For more information about OIDs, or to request a prefix for your enterprise, please go to the IANA (Internet Assigned Number Authority) website at http://www.iana.org/.

Extending Server Schema

The Directory Server schema includes hundreds of object classes and attributes that can be used to meet most of your requirements. This schema can be extended with new object classes and attributes that meet evolving requirements for the directory service in the enterprise.
When adding new attributes to the schema, a new object class should be created to contain them (adding a new attribute to an existing object class can compromise the Directory Server's compatibility with existing LDAP clients that rely on the standard LDAP schema and may cause difficulties when upgrading the server).
For more information about extending server schema, refer to the iPlanet Directory Server Deployment Guide.

Schema Checking

You should run Directory Server with schema checking turned on.
The schema checking capability of iPlanet Directory Server checks entries when you add them to the directory or when you modify them, to verify that:

Object classes and attributes in the entry are defined in the directory schema

Attributes required for an object class are contained in the entry

Only attributes allowed by the object class are contained in the entry
Schema checking also occurs when importing a database using LDIF. For more information, refer to the iPlanet Directory Server Administrator's Guide.

Syntax and OID	Definition
Binary 1.3.6.1.4.1.1466.115.121.1.5	Indicates that values for this attribute are binary.
Boolean 1.3.6.1.4.1.1466.115.121.1.7	Indicates that this attribute has one of only two values: True or False.
Country String 1.3.6.1.4.1.1466.115.121.1.11	Indicates that values for this attribute are limited to exactly two printable string characters, for example fr.
DN 1.3.6.1.4.1.1466.115.121.1.12	Indicates that values for this attribute are DNs (distinguished names).
DirectoryString 1.3.6.1.4.1.1466.115.121.1.15	Indicates that values for this attribute are not case sensitive.
GeneralizedTime 1.3.6.1.4.1.1466.115.121.1.24	Indicates that values for this attribute are encoded as printable strings. The time zone must be specified. It is strongly recommended to use GMT.
IA5String 1.3.6.1.4.1.1466.115.121.1.26	Indicates that values for this attribute are case sensitive.
INTEGER 1.3.6.1.4.1.1466.115.121.1.27	Indicates that valid values for this attribute are numbers.
OctetString 1.3.6.1.4.1.1466.115.121.1.40	Same behavior as binary.
Postal Address 1.3.6.1.4.1.1466.115.121.1.41	Indicates that values for this attribute are encoded as dstring[$ dstring]* where each dstring component is encoded as a value with DirectoryString syntax. Backslashes and dollar characters within dstring must be quoted, so that they will not be mistaken for line delimiters. Many servers limit the postal address to 6 lines of up to thirty characters. For example: 1234 Main St.$Anytown, TX 12345$USA
TelephoneNumber 1.3.6.1.4.1.1466.115.121.1.50	Indicates that values for this attribute are in the form of telephone numbers. It is recommended to use telephone numbers in international form.
URI 1.3.6.1.4.1.250.1.57	Indicates that the values for this attribute are in the form of a URL, introduced by a string such as http://, https://, ftp, LDAP. The URI has the same behavior as IA5String. See RFC 2396.

Schema Filename	Purpose
00core.ldif	Recommended core schema from the X.500 and LDAP standards (RFCs), and schema used by the Directory Server itself
05rfc2247.ldif	Schema from RFC 2247 and related pilot schema "Using Domains in LDAP/X.500 Distinguished Names"
05rfc2927.ldif	Schema from RFC 2927 "MIME Directory Profile for LDAP Schema"
10rfc2307.ldif	Schema from RFC 2307 "An Approach for Using LDAP as a Network Information Service"
20subscriber.ldif	Common schema elements for iPlanet-Nortel subscriber interoperability
25java-object.ldif	Schema from RFC 2713 "Schema for Representing Java(tm) Objects in an LDAP Directory"
28pilot.ldif	Schema from the pilot RFCs, especially RFC 1274, that is no longer recommended by iPlanet for use in new deployments.
30ns-common.ldif	Common iPlanet schema
50ns-directory.ldif	Additional schema used by iPlanet Directory Server 4.x
50ns-value.ldif	iPlanet servers "value item" schema
99user.ldif	Customer modifications to the schema

Schema Filenames	Purpose
50iplanet-servicemgt.ldif	iPlanet service management schema elements
50ns-admin.ldif	Schema used by iPlanet Administration Services
50ns-calendar.ldif	iPlanet Calendar Server schema
50ns-certificate.ldif	Schema for iPlanet Certificate Management System
50ns-compass.ldif	Schema for the Netscape Compass Server
50ns-delegated-admin.ldif	Schema for iPlanet Delegated Administrator 4.5
50ns-legacy.ldif	Legacy Netscape Schema
50ns-mail.ldif	Schema for iPlanet Messaging Server
50ns-mcd-browser.ldif	Schema for Netscape Mission Control Desktop - Browser
50ns-mcd-config.ldif	Schema for Netscape Mission Control Desktop - Configuration
50ns-mcd-li.ldif	Schema for Netscape Mission Control Desktop - Location Independence
50ns-mcd-mail.ldif	Schema for Netscape Mission Control Desktop - Mail
50ns-media.ldif	Schema for Netscape Media Server
50ns-mlm.ldif	Schema for iPlanet Mailing List Manager
50ns-msg.ldif	Schema for iPlanet Web Mail
50ns-netshare.ldif	Schema for iPlanet Netshare
50ns-news.ldif	Schema for iPlanet Collabra Server.
50ns-proxy.ldif	Schema for iPlanet Proxy Server
50ns-wcal.ldif	Schema for iPlanet Web Calendaring
50ns-web.ldif	Schema for iPlanet Web Server

Previous Contents Index DocHome Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated October 29, 2001