Directory Information
The information held in the directory consists of entries and alias entries, which provide the information base, and of infrastructure information, which determines how the information base is structured.
Directory Entries
A directory entry is a set of attributes and their values. Every entry has an object class attribute, which specifies the kind of object the entry describes and defines the set of attributes it contains. For a given object class, some attributes are mandatory and some are optional. For example, the object class country is described by the mandatory attribute countryName, and the optional attributes description and searchGuide.
The schema defines the attributes that are mandatory and optional for an entry of a given object class. It also defines an inheritance hierarchy. All object classes inherit the characteristics of their superior object class. For example, the object class organizationalPerson is a subclass of the Person object class. It inherits the mandatory and optional attributes from the Person object class.
All object classes inherit from the object class top. The object class top contains the mandatory attribute objectClass. This ensures that all entries have an object class attribute.
There are two types of object classes: structural and auxiliary. A structural object class defines the type of entry. An entry can have only one structural object class. An auxiliary object class is not sufficient to define alone a type of entry, but can be specified in addition to a structural object class. For example, the auxiliary object class uidObject can be used to assign a uid to any entry in the directory.
Distinguished Name and Relative Distinguished Name
Directory information is hierarchical, with entries organized in a tree structure. Each entry has a parent entry and can have child entries. The top of the hierarchy is known as the root entry.
An entry is identified by its distinguished name (DN). A distinguished name is a sequence of attributes and values. The first attribute and its value provide the entry's relative distinguished name (RDN). The rest of the sequence is the distinguished name of the parent entry. A distinguished name is unique throughout the whole directory service.
Figure 1-1 shows an example of how directory information is structured, with the DNs and RDNs of the shaded entries.
Figure 1-1 Directory Information Structure
The attributes that can be part of a DN are called naming attributes. In the default schema provided with Sun Directory Services, the naming attributes are:
-
countryName, or c
-
localityName, or l
-
organizationName, or o
-
organizationalUnitName, or ou
-
commonName, or cn
-
channelName, or ch
-
domainComponent, or dc
-
stateOrProvinceName, or st
-
streetAddress, or street
-
uid
-
ref
Aliasing
You can define an alias entry. An alias entry is identified by a distinguished name (DN). It contains the name of the directory entry it represents (the aliased object name). The alias entry and the entry it represents must be under the same root entry. For the full definition of the alias object class, refer to "Object Class Reference".
For bind and search operations, you can specify that the directory should translate an alias DN to the DN of the actual entry. This is known as dereferencing the alias. For other operations, you need to treat the alias entry as an ordinary entry and not dereference it, for example, when you modify the RDN of the alias entry itself, not of the aliased object.
Alias Entries and Searching
The result of a search or read operation involving an alias entry differs depending on whether or not you dereference the alias. Alias dereferencing is specified by the LDAP client. There are four possible settings for the alias dereference flag:
-
Never dereference alias
All operations apply to the entry with the given DN, even though the entry is an alias entry. This is the default setting.
-
Dereference alias when finding base object
The base object identifies the top of the subtree of entries to be searched. This setting means that if you specify an alias as the base object it will be dereferenced, but no other aliases encountered during the search are dereferenced.
-
Dereference alias when searching
If the operation being carried out is a search, all alias entries specified or used in the search are dereferenced, except the base object. If the result of the search is an alias entry, the aliased object is returned to the user, not the alias entry. This can sometimes lead to unexpected results from searches based on DN content, where the requested information is not present in the entries returned because the entry that contains the requested DN term is an alias entry that has been dereferenced.
-
Always dereference alias
All alias entries specified or used in the operation are dereferenced.
For example, suppose your directory contains the following pair of entries:
|
cn=Stan Smith, role=Personnel Administrator, ou=Personnel, o=XYZ, c=US |
|
|
with attributes: |
objectclass=orgPerson |
|
|
cn=Stan Smith |
|
|
telephoneNumber=123 456 7890 |
|
|
mail=dtmail |
|
|
|
|
cn=personnel, o=XYZ, c=US |
|
|
with attributes: |
objectclass=alias objectclass=aliasObject |
|
|
cn=personnel aliasedObjectName="cn=Stan Smith, role=Personnel Administrator, ou=Personnel, o=XYZ, c=US" |
With alias dereferencing when searching, if you search for the telephone number of cn=personnel in the subtree o=XYZ, c=US, you will see Stan Smith's telephone number. With no alias dereferencing, you would not see any telephone number.
Defining aliases for roles is particularly useful when the person occupying a role changes frequently (the duty network manager for out-of-hours calls, for example), so that users always query the same entry. You can change the value of the aliasedObjectName with a script that runs on a schedule and calls ldapmodify to make the changes.
See the ldapsearch(1) man page for details of how to specify how alias dereferencing is used in ldapsearch.
Alias Entries and Authentication
To perform certain operations on the directory, users need to be authenticated. This is the case for modifications of directory content, or for reading the userPassword attribute of an entry. The level of access permitted is established during the bind process. For details, refer to "Binding to the Directory".
The DN supplied in a bind request can be the DN of an alias entry. With alias dereferencing, the user binds with the DN contained in the aliasedObjectName of the alias entry, and is granted the access rights defined for the entry with that DN.
Alias dereferencing during a bind operation is a configuration choice that needs to be made for the LDAP server. If aliases are not being dereferenced and the user binds with the DN of an alias entry, access is denied because the password attribute is not present. This also means that if you allow alias dereferencing, you allow users to bind without a password.
For information on specifying alias dereferencing for Sun Directory Services, refer to "Configuring LDAP Parameters".
- © 2010, Oracle Corporation and/or its affiliates