Directory information is stored in directory entries. A directory entry is a set of attributes and their values. For example, SIMS specifies an attribute called commonname, its value would be the user's full name. Another attribute is mailHost. Its value would be the host name.
Directory entries are defined by an object class which specifies the kind of object the entry describes and the set of attributes it contains. For example, SIMS specifies an emailPerson object class which has attributes such as commonname, mail (email address), mailHost, and mailQuota. SIMS also specifies an emailGroup object class which has attributes such as commonname, authorizedSubmitter, and rfc822MailMember.
The set of object classes supported by a directory service is called the directory schema. The schema specifies all the objects and attributes supported by the directory service, as well as which attributes are mandatory and optional for a given object class. See Appendix D, "SIMS Directory Schema and Directory Information Tree," for more information.
Directory entries are organized hierarchically in a tree-like structure called the Directory Information Tree or DIT. Each entry has a parent entry and can have child entries. The top of the hierarchy is known as the root entry.
An entry is identified by its distinguished name (DN). A distinguished name is a sequence of locale-related attributes and values. The first attribute and its value provide the entry's relative distinguished name (RDN). The rest of the sequence is the distinguished name of the parent entry. A distinguished name is unique throughout the whole directory service.
FIGURE 1-5 shows an example of how directory information is structured, with the DNs and RDNs of the shaded entries.
In SIMS, specific directory information is often stored in naming contexts. A naming context is simply a subtree or "branch" of the DIT that is identified by its DN. An example of a naming context would be one which stores all entries for marketing employees of the XYZ Corporation at the Boston office. The name of that naming context might be ou=mktg,ou=Boston,o=XYZ,c=US (ou is organizational unit, o is organization, c is country). Naming contexts are listed under data store in the SIMS Admin Console.
In a general-purpose directory service, you have to decide what information you want to store and how that information will be organized. The SunDS directory service has already been designed for you, though you can modify this design, as described in "Modifying the Schema" on page 200.
Organizational Units
An organizational unit is a layer in the directory information tree (DIT). The number of organizational units in a DIT is dictated by the size of your organization and the structure of the Domain Name Service (DNS). For more conceptual information on the DIT and organizational units, refer to the SIMS Installation Guide.
During installation of the SIMS software, the portion of the DIT that you plan to implement on a particular mail server, including the organizational units, if any, is automatically generated. Subsequently, you can add or delete an organizational unit. For more information, refer to "Creating Organizational Units" on page 66 and "To Delete an Organizational Unit" on page 73.
User Entries
A user entry or user profile contains information on a user. TABLE 1-4 describes each user entry field and whether you must configure a particular field when creating a user entry. A required field is one that actually configures some aspect of the SIMS, while a field that is not required is one that provides incidental information or configures an optional feature.
TABLE 1-4 User Entry Fields
For complete information on the syntax required when configuring these fields, refer to either "To Create a User Entry" on page 59 or "To Modify a User Entry" on page 73.
You can add additional user entry attributes or modify existing ones. For more information, refer to "Modifying the Schema" on page 200.
Group Entries
A group entry contains information for a distribution list. TABLE 1-5 describes each group entry field and whether you must configure a particular field when creating a group entry. A required field is one that actually configures some aspect of the SIMS, while a field that is not required is one that provides incidental information or configures an optional feature.
TABLE 1-5 Group Entry Fields
For complete information on the syntax required when configuring these fields, refer to either "To Create a Group Entry" on page 62 or "To Modify a Group Entry" on page 82.
You can add additional group entry attributes or modify existing ones. For more information, refer to "Modifying the Schema" on page 200.
You can define an alias entry. An alias entry is identified by a distinguished name (DN). It contains the name of the directory entry it represents (the aliased object name). The alias entry and the entry it represents must be in the same data store.
For bind and search operations, you can specify that the directory should translate an alias DN to the DN of the actual entry. This is known as dereferencing the alias. For other operations, you need to treat the alias entry as an ordinary entry and not dereference it, for example, to modify the RDN of the alias entry itself, not of the aliased object.
Alias Entries and Searching
The result of a search or read operation involving an alias entry differs depending on whether you dereference the alias. There are four possible settings for the alias dereference flag:
![]() |
Never dereference alias |
All operations apply to the entry with the given DN, even though the entry is an alias entry. This is the default setting. |
![]() |
Dereference alias when finding base object |
The base object identifies the top of the subtree of entries to be searched. This setting means that if you specify an alias as the base object it will be dereferenced, but no other aliases encountered during the search are dereferenced. |
![]() |
Dereference alias when searching |
If the operation being carried out is a search, all alias entries specified or used in the search are dereferenced, except the base object. If the result of the search is an alias entry, the aliased object is returned to the user, not the alias entry. This can sometime lead to unexpected results from searches based on DN content, where the requested information is not present in the entries returned because the entry that contains the requested DN term is an alias entry that has been dereferenced. |
![]() |
Always dereference alias |
All alias entries specified or used in the operation are dereferenced. |
For example, suppose your directory contains the following pair of entries:
1) cn=Stan Smith, role=Personnel Administrator, ou=Personnel, ou=Corporate, o=XYZ, c=US
with attributes:
objectclass=orgPerson
cn=Stan Smith
telephoneNumber=123 456 7890
mail=dtmail2) cn=personnel, o=XYZ, c=US
with attributes:
objectclass=alias
aliasedObjectName="cn=Stan Smith, role=Personnel Administrator, ou=Personnel, ou=Corporate, o=XYZ, c=US"With alias dereferencing when searching, if you search for the telephone number of cn=personnel, o=XYZ, c=US, you will see Stan Smith's telephone number. With no alias dereferencing, you would not see any telephone number.
Defining aliases for roles is particularly useful when the person occupying a role changes frequently (the duty network manager for out-of-hours calls, for example), so that users always query the same entry. You can change the value of the aliasedObjectName with a script that runs on a schedule and calls ldapmodify to make the changes.
See the SIMS Reference Manual for details of how to specify how alias dereferencing is used in ldapsearch.
Alias Entries and Authentication
Every interaction with the directory starts with a bind request, to authenticate the user and establish the level of access permitted. The DN supplied in a bind request can be the DN of an alias entry. With alias dereferencing, the user binds with the DN contained in the aliasedObjectName of the alias entry, and is granted the access rights defined for the entry with that DN.
Alias dereferencing in bind is a configuration choice. If aliases are not being dereferenced and the user binds with the DN of an alias entry, access is denied because the password attribute is not present.
Infrastructure information determines how the components of a directory service behave and how directory entry information is interpreted. It includes the directory schema, knowledge information, and component configuration information.
Schema
The directory schema is the set of rules that describes the data that can be stored in the directory. It defines the types of entries permitted, their attribute structure, and the syntax of the attributes. This product contains a pre-defined schema, which you can modify, with certain restrictions. See "Modifying the Schema" on page 200 and Appendix D, "SIMS Directory Schema and Directory Information Tree for further schema details.
Knowledge Information and Referrals
A directory server uses knowledge information to pass requests for information to other servers. The knowledge information held by a directory server is a reference to a directory server holding other naming contexts. When a server receives a request for information, it checks whether it can respond to the request using the information in the local data store. If it cannot, it checks the referral defined for the data store, and returns the details of an alternate directory server to the directory client. The client can then send the request to the other directory server. Some clients contact the alternate server automatically, so the referral mechanism is transparent to users. Other clients return the referral information to the user.
See "Example: The XYZ Corporation" on page 40 for an example of how referrals are used.