![]() |
iPlanet Delegated Administrator 4.5 Deployment and Customization Guide |
Appendix C Delegated Administrator Schema
Schema files are stored in <NSHOME>/slapd-<serverID>/config during installation (where <NSHOME> is the installation directory and <serverID> is the name given to the Directory Server instance).Modifications to directory object classes are stored in slapd.user_oc.conf. Modifications to directory attributes are stored in slapd.user_at.conf. Modifying other schema files may result in interoperability problems.
The object classes listed in this appendix were designed specifically for use with iPlanet Delegated Administrator 4.5. For a comprehensive listing of all schema supported by Directory Server, refer to the Netscape Directory Server Schema Reference.
This appendix includes the following topics:
LDAP Overview
Netscape Directory Server includes object classes and object class attributes defined by the Lightweight Directory Access Protocol (LDAP) and extensions to the standard LDAP schema developed by Netscape and by the Internet Engineering Task Force (IETF) that extend the basic functionality of LDAP.Initially developed at the University of Michigan, LDAP is a lightweight version of the X.500 Directory Access Protocol (DAP). LDAP has become an Internet standard for directory services that run over TCP/IP.
Netscape Directory Server version 3.0 and later supports LDAPv2 and LDAPv3.
How LDAP Works
One or more LDAP servers contain the data that make up the LDAP directory. An LDAP client connects to an LDAP server and submits a query to request or update directory information. As long as access rights are granted to the client, the LDAP server responds to the query. The LDAP server may also refer the query to another LDAP server for response.An LDAP directory stores information in object-oriented hierarchies of entries. Each entry is uniquely identified by a distinguished name, or DN. the DN consists of the name of the entry plus a path of names tracing the entry back to the top of the directory hierarchy.
Object Classes
In LDAP, an object class defines the collection of attributes that can be used to define an entry. The LDAP standard provides these basic types of object classes:
Groups in the directory, including unordered lists of individual objects or groups of objects.
Locations, such as the country name and description.
Object Class Inheritance
An entry can belong to more than one object class. For example, the entry for a person is defined by the person object class, but may also be defined by attributes in the inetOrgPerson, groupOfNames, and organization object classesThe server's object class structure (its schema) determines the total list of required and allowed attributes for a particular entry. For example, a person entry is usually defined with the following object class structure:
objectClass: organizationalPerson
In this structure, the inetOrgperson object class should not be placed on an entry until the person and organizationalPerson object classes have been defined on the entry.
Reserved Object Classes
Reserved schema includes object classes that are essential to software operation but not meant for development purposes and object classes reserved for future use. These object classes are not meant to be used to extend server functionality.
Attributes
Directory data is represented as attribute-value pairs. Any specific piece of information is associated with a descriptive attribute. For instance, the commonName, or cn, attribute is used to store a person's name. A person named Jonas Salk can be represented in the directory asEach person entered in the directory is defined by the collection of attributes in the person object class. Other attributes used to define this entry could include:
Required and Allowed Attributes
Required attributes include the attributes that must be present in entries using the object class. All entries require the objectClass attribute, which lists the object classes to which an entry belongs.Allowed attributes include the attributes that may be present in entries using the object class. For example, in the person object class, the cn and sn attributes are required. The description, telephoneNumber, seeAlso, and userpassword attributes are allowed but are not required.
Attribute Syntax
Each attribute has a corresponding syntax definition. The syntax definition describes the type of information provided by the attribute.Attribute syntax is used by the Directory Server to perform sorting and pattern matching.
Object Identifiers (OIDs)
Object identifiers (OIDs) are assigned to all attributes and object classes to conform to the LDAP and X.500 standards. An OID is a sequence of integers, typically written as a dot-separated string. When no OID is specified, the Directory Server automatically uses <ObjectClass name>-oid.
Table C-1    Base OIDs
Group of Objects
Base OID
Extending Server Schema
The Directory Server schema includes hundreds of object classes and attributes that can be used to meet most Directory Server requirements. This schema can be extended with new object classes and attributes that meet evolving requirements for the directory service in the enterprise.When adding new attributes to the schema, a new object class should be created to contain them (adding a new attribute to an existing object class can compromise the Directory Server's compatibility with existing LDAP clients that rely on the standard LDAP schema and may cause difficulties when upgrading the server).
For more information about extending server schema, refer to the Netscape Directory Server Deployment Manual.
Schema Checking
iPlanet recommends running the Directory Server with schema checking turned on. Schema checking causes the iPlanet Directory Server to check new entries to verify the following:
object classes and attributes are defined in the directory schema
Schema checking also occurs when entries are modified and when importing a database using LDIF. For more information, refer to the iPlanet Directory Server Administration Guide.attributes required for an object class are contained in the entry
only attributes allowed by the object class are contained in the entry
Delegated Administrator Object Classes
The following sections provide details for these object classes used by Delegated Administrator:
inetAdmin
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5, Netscape Directory Server 4.0
Definition
Superior Class
OID
Required Attribute
Allowed Attributes
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5, Netscape Directory Server 4.0
Definition
Stores information for an organization. All organizations must contain this objectclass in order to be managed by Delegated Administrator.
Superior Class
OID
Required Attribute
Allowed Attributes
nsNumUsers
nsMaxUsers
Specifies the maximum number of users that can be created under this entry.
nsNumDepts
Tracks the number of nested departments that can be created under this object.
nsNumMailLists
Tracks the number of mail lists that can be created below this object or the object.
nsMaxMailLists
Specifies the maximum number of mailing lists that can be created under this entry.
nsNumDomains
Tracks the number of sub-organizations that can be created below this object.
nsMaxDepts
Specifies the maximum number of group entries that can be created under this entry.
nsMaxDomains
Specifies the maximum number of sub-organizations allowed to be created under this entry.
owner
Identifies the distinguished name (DN) of the person or group with administrative privileges over this entry.
nsdaModifiableBy
Specifies who has modify access to the object in which this attribute appears.
nsManagedDomain "> nsDefaultMaxDeptSize
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5,
Definition
Stores information for a family group managed by a delegated administrator. The family group is like a Group, with a few differences. It has been added primarily to support Delegated Administrator deployments using Sun Internet Message Service (SIMS) 4.0.
Superior Class
OID
Required Attribute
Allowed Attributes
nsNumUsers
Tracks the number of users that can be created under this object.
nsManagedFamilyGroup"> nsMaxUsers
Specifies the maximum number of users that can be created under this entry.
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5,
Definition
Specifies the default size (in number of users) of a newly created department managed by delegated administrator. For example: nsDefaultMaxDeptSize: 20
Syntax
Superior Class
OID
Required Attribute
Allowed Attributes
nsManagedISP"> Tracks the number of sub-organizations that can be created under this object.
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5,
Definition
Stores information for a mail list created by enabled users. A mail list must contain this objectclass in order to be managed by Delegated Administrator.
Superior Class
OID
Required Attribute
Allowed Attributes
nsNumUsers
Tracks the number of users that can be created under this object.
nsMaxUsers
Specifies the maximum number of users that can be created under this entry.
owner
Identifies the distinguished name (DN) of the person responsible for the entry.
nsManagedMailList">
Specifies who has modify access to the object in which this attribute appears.
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5,
Definition
Superior Class
OID
Required Attribute
Allowed Attributes
owner
Identifies the distinguished name (DN) of the person responsible for the entry.
nsManagedOrgUnit"> nsdaModifiableBy
Specifies who has modify access to the object in which this attribute appears.
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5,
Definition
Stores information about a user. A user entry must contain this object class in order to be managed by Delegated Administrator.
Superior Class
OID
Required Attribute
Allowed Attributes
memberOf
Specifies the user's administrator group or department membership.
nsdaDomain
nsdaCapability
owner
Identifies the distinguished name (DN) of the person responsible for the entry.
nsManagedPerson"> nsdaModifiableBy
Specifies who has modify access to the object in which this attribute appears.
Supported by
Netscape Delegated Administrator 4.0, iPlanet Delegated Administrator 4.5,
Definition
This objectclass was used as a marker to identify the subtree where the uniqueness of uid should be enforced. The uid uniqueness plugin uses this to determine the scope or sphere of influence for enforcing uniqueness.
Superior Class
OID
Required Attribute
nsUniquenessDomain ">
Delegated Administrator Attributes
The following sections provide details for these attributes used by Delegated Administrator:
adminRole
Origin
Definition
Specifies the administrator role for this administrator entry.
Syntax
cisadminRole"> OID
adminRole
Origin
Definition
Specifies the administrator role for this administrator entry.
Syntax
cisOID
Origin
Definition
Specifies the user's administrator group or department membership.
Syntax
dnmemberof"> OID
memberof
Origin
Definition
Specifies the user's administrator group or department membership.
Syntax
dnOID
Origin
Definition
Syntax
nsdaCapability"> OID
nsdaCapability
Origin
Definition
Syntax
OID
Origin
Definition
Syntax
nsDADomain"> OID
nsDADomain
Origin
Definition
Syntax
OID
Origin
Definition
Specifies who has modify access to the object in which this attribute appears.
Syntax
dnnsdaModifiableBy"> OID
nsdaModifiableBy
Origin
Definition
Specifies who has modify access to the object in which this attribute appears.
Syntax
dnOID
Origin
Definition
Specifies the default size (in number of users) of a newly created group.
Syntax
intnsDefaultMaxDeptSize"> OID
nsDefaultMaxDeptSize
Origin
Definition
Specifies the default size (in number of users) of a newly created group.
Syntax
intOID
Origin
Definition
Specifies the maximum number of group entries that can be created under this entry.
Syntax
intnsMaxDepts"> OID
nsMaxDepts
Origin
Definition
Specifies the maximum number of group entries that can be created under this entry.
Syntax
intOID
Origin
Definition
Specifies the maximum number of sub-organizations allowed to be created under this entry.
Syntax
nsMaxDomains"> OID
nsMaxDomains
Origin
Definition
Specifies the maximum number of sub-organizations allowed to be created under this entry.
Syntax
OID
Origin
Definition
Specifies the maximum number of mailing lists that can be created under this entry.
Syntax
nsMaxMailLists"> OID
nsMaxMailLists
Origin
Definition
Specifies the maximum number of mailing lists that can be created under this entry.
Syntax
OID
Origin
Definition
Identifies the number of user accounts in use in delegated administrator.
Syntax
nsNumUsers"> OID
nsNumUsers
Origin
Definition
Identifies the number of user accounts in use in delegated administrator.
Syntax
OID
Origin
Definition
Specifies the maximum number of users that can be created under this entry.
Syntax
nsMaxUsers"> OID
nsMaxUsers
Origin
Definition
Specifies the maximum number of users that can be created under this entry.
Syntax
OID
Origin
Definition
Tracks the number of nested departments that can be created under this object.
Syntax
nsNumDepts"> OID
nsNumDepts
Origin
Definition
Tracks the number of nested departments that can be created under this object.
Syntax
OID
Origin
Definition
Tracks the number of sub-organizations that can be created under this object.
Syntax
nsNumDomains"> OID
nsNumDomains
Origin
Definition
Tracks the number of sub-organizations that can be created under this object.
Syntax
OID
Origin
Definition
Tracks the number of mail lists that can be created under this object or the object containing this attribute.
Syntax
nsNumMailLists"> OID
nsNumMailLists
Origin
Definition
Tracks the number of mail lists that can be created under this object or the object containing this attribute.
Syntax
OID
Origin
Definition
Syntax
cisnsSearchFilter"> OID
nsSearchFilter
Origin
Definition
Syntax
cisOID
Origin
Definition
Identifies the distinguished name (DN) of the person or group with administrative privileges over the entry. For example: owner: cn=John Smith, o=Netscape Communications Corp., c=US
Syntax
dnowner"> OID
Previous Contents Index Next
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.
Last Updated May 24, 2001