Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference

iPlanet LDAP Schema

This section describes the iPlanet LDAP Schema that defines a set of rules for directory data.

You can use the dcsuffix attribute in the dbswitch.conf file if your LDAP database meets the requirements outlined in this section. For more information about the dbswitch.conf file, see dbswitch.conf.

The subtree rooted at an ISP entry, for example, o=isp is called the convergence tree. It contains all directory data related to organizations (customers) served by an ISP.

The subtree rooted at o=internet is called the domain component tree, or dc tree. It contains a sparse DNS tree with entries for the customer domains served. These entries are links to the appropriate location in the convergence tree where the data for that domain is located.

The directory tree may be single rooted, which is recommended. For example, o=root may have o=isp and o=internet under it. The tree mat also have two separate roots, one for the convergence tree and one for the dc tree.

Convergence Tree

The top level of the convergence tree must have one organization entry for each customer or organization, and one for the ISP itself.

Underneath each organization must be two organizationalUnit entries: ou=People and ou=Groups. A third, ou=Devices, can be present if device data is to be stored for the organization.

Each user entry must have a unique uid value within a given organization. The namespace under this subtree can be partitioned into various ou entries that aggregate user entries in convenient groups, for example, ou=eng, ou=corp. User uid values must still be unique within the entire People subtree.

User entries in the convergence tree are of type inetOrgPerson. The cn, sn, and uid attributes must be present. The uid attribute must be a valid email name, specifically a valid local-part as defined in RFC822. The cn must contain name initial sn. The RDN of the user entry be the uid value. User entries must contain the auxiliary class inetUser if they are to be considered enabled for service or valid.

User entries can also contain the auxiliary class inetSubscriber, which is used for account management purposes. If an inetUserStatus attribute is present in an entry and has a value of inactive or deleted, the entry is ignored.

Groups are located under the Groups subtree and consist of LDAP entries of type groupOfUniqueNames.

Domain Component (dc) Tree

The dc tree contains hierarchical domain entries, each of which is a DNS name component.

Entries that represent the domain name of a customer are overlaid with the LDAP auxiliary class inetDomain. For example, the two LDAP entries dc=customer1,dc=com,o=Internet,o=root and dc=customer2,dc=com,o=Internet,o=root contain the inetDomain class, but dc=com,o=Internet,o=root does not. The latter is present only to provide structure to the tree.

Entries with an inetDomain attribute are called virtual domains. The attribute inetDomainBaseDN for these domains must be filled with the DN of the top-level organization entry where the data of this domain is stored in the convergence tree. For example, the virtual domain entry in dc=cust2,dc=com,o=Internet,o=root would contain the attribute inetDomainBaseDN with value o=Cust2,o=isp,o=root.

If an inetDomainStatus attribute is present in an entry and has a value of inactive or deleted, the entry is ignored.