Managing Attribute Types Over LDAP

This section explains how to create, view, and delete attribute types over LDAP.

Creating Attribute Types

The cn=schema entry has a multivalued attribute, attributeTypes, that contains definitions of each attribute type in the directory schema. You can add to those definitions by using the ldapmodify(1) command.

New attribute type definitions, and changes that you make to user-defined attribute types, are saved in the file 99user.ldif.

For each attribute type definition, you must provide at least an OID to define your new attribute type. Consider using at least the following elements for new attribute types:

• Attribute OID. Corresponds to the object identifier for your attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies the schema object.

  For strict LDAP v3 compliance, you must provide a valid numeric OID. To learn more about OIDs or to request a prefix for your enterprise, send email to the IANA (Internet Assigned Number Authority) at iana@iana.org, or see the IANA web site.

• Attribute name. Corresponds to a unique name for the attribute. Also called its attribute type. Attribute names must begin with a letter and contain only ASCII letters, digits, and hyphens.

  An attribute name can contain uppercase letters, but no LDAP client should rely on case to differentiate attributes. Attribute names must be handled in a case-insensitive manner according to section 2.5 of RFC 4512.

  You can optionally include alternate attribute names, also referred to as aliases, for your attribute type.

• Attribute description. Is short descriptive text that explains the attribute’s purpose.

• Syntax. Is referenced by the OID and describes the data to be held by the attribute.

  Attribute syntaxes with their OIDs are listed in RFC 4517.

• Number of values allowed. By default, attributes are multivalued, but you might want to restrict an attribute to a single value.

To Create an Attribute Type

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Prepare your attribute type definition according to the syntax specified in RFC 4517.
2. Use the ldapmodify(1) command to add your attribute type definition.

   Notice that Directory Server adds X-ORIGIN 'user defined' to the definition that you provide.

Example 11-1 Creating an Attribute Type

The following example adds a new attribute type with Directory String syntax using the ldapmodify command:

$ cat blogURL.ldif 
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.2.3.4.5.6.7 
 NAME ( 'blog' 'blogURL' ) 
 DESC 'URL to a personal weblog' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 SINGLE-VALUE )

$ ldapmodify -D cn=admin,cn=Administrators,cn=config -w - -f blogURL.ldif
Enter bind password: 
modifying entry cn=schema

$

In a production environment, you would provide a valid, unique OID, not 1.2.3.4.5.6.7.

Viewing Attribute Types

The cn=schema entry has a multivalued attribute, attributeTypes, that contains definitions of each attribute type in the directory schema. You can read those definitions by using the ldapsearch(1) command.

To View Attribute Types

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

• Use the ldapsearch command to view all the attribute type definitions that currently exist in your directory schema.

Example 11-2 Viewing Attribute Types

The following command displays definitions for all attribute types:

$ ldapsearch -T -b cn=schema "(objectclass=*)" attributeTypes

The -T option prevents the ldapsearch command from folding LDIF lines, so you can more easily work with the output using commands such as grep or sed. If you then pipe the output of this command through the grep command, you can view only the user-defined extensions to directory schema. For example:

$ ldapsearch -T -b cn=schema "(objectclass=*)" attributeTypes | grep "user defined"
 attributeTypes: ( 1.2.3.4.5.6.7 NAME ( 'blog' 'blogURL' ) 
 DESC 'URL to a personal weblog' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE 
 X-ORIGIN 'user defined' )

Deleting Attribute Types

The cn=schema entry has a multivalued attribute, attributeTypes, that contains definitions of each attribute type in the directory schema. You can delete definitions with X-ORIGIN 'user defined' by using the ldapmodify(1) command.

Because the schema is defined by the LDAP view in cn=schema, you can view and modify the schema online using the ldapsearch and ldapmodify utilities. However, you can delete only schema elements that have the value ’user defined’ for the X-ORIGIN field. The server will not delete other definitions.

Changes that you make to user-defined attributes are saved in the file 99user.ldif.

To Delete Attribute Types

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. View the definition of the attribute type to delete.

   See To View Attribute Types for details.

2. Use the ldapmodify(1) command to delete the attribute type definition as it appears in the schema.

Example 11-3 Deleting an Attribute Type

The following command deletes the attribute type that is created in Example 11-1:

$ ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: cn=schema
changetype: delete
delete: attributeTypes
attributeTypes: ( 1.2.3.4.5.6.7 NAME ( 'blog' 'blogURL' ) 
 DESC 'URL to a personal weblog' 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE 
 X-ORIGIN 'user defined' )
^D

Notice that you must include the X-ORIGIN 'user defined', which was added by Directory Server to classify this schema definition as an extension.