E
Schema Elements

This appendix briefly lists different schema elements supported in the Oracle Internet Directory. Most of these elements are used as defined by the ldapext and ASID working groups of the Internet Engineering Task Force (IETF).

See Also:
The following URLs on the World Wide Web:

http://www.ietf.org for the IETF home page

http://www.ietf.org/html.charters/ldapext-charter.html for the ldapext charter and LDAP drafts)

http://ietf.org/html.charters/asid-charter.html for the ASID charter and LDAP drafts

http://www.ietf.org/html.charters/ ldup-charter.html for the LDUP charter and drafts

http://www.iana.org, the Internet Assigned Numbers Authority home page, for information about object identifiers

This appendix contains these topics:

IETF Requests for Comments (RFCs) Enforced by Oracle Internet Directory

Oracle Internet Directory enforces the following Requests for Comments (RFCs) of the Internet Engineering Task Force (IETF):

RFC	Title	URL
1777	Lightweight Directory Access Protocol	http://www.ietf.org/rfc/rfc1777.txt
1778	The String Representation of Standard Attribute Syntaxes	http://www.ietf.org/rfc/rfc1778.txt
1779	A String Representation of Distinguished Names	http://www.ietf.org/rfc/rfc1779.txt
1960	A String Representation of LDAP Search Filters	http://www.ietf.org/rfc/rfc1960
2079	Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)	http://www.ietf.org/rfc/rfc2079.txt
2247	Using Domains in LDAP/X.500 Distinguished Names	http://www.ietf.org/rfc/rfc2247.txt
2251	Lightweight Directory Access Protocol (v3)	http://www.ietf.org/rfc/rfc2251.txt
2252	Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions	http://www.ietf.org/rfc/rfc2252.txt
2253	Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names	http://www.ietf.org/rfc/rfc2253.txt
2254	The String Representation of LDAP Search Filters	http://www.ietf.org/rfc/rfc2254.txt
2255	The LDAP URL Format	http://www.ietf.org/rfc/rfc2255.txt
2256	A Summary of the X.500(96) User Schema for use with LDAPv3	http://www.ietf.org/rfc/rfc2256.txt

IETF Drafts Enforced by Oracle Internet Directory

Oracle Internet Directory enforces the following two drafts of the IETF:

Draft:

"Definition of the inetOrgPerson LDAP Object Class"

URL:

http://ietf.org/internet-drafts/draft-smith-ldap-inetorgperson-03.txt

Draft:

"Referrals and Knowledge References in LDAP Directories"

URL:

http://www.ietf.org/internet-drafts/draft-ietf-ldapext-knowledge-00.txt

Proprietary Oracle Internet Directory Schema Elements

Oracle Internet Directory's proprietary schema includes attributes and object classes in these categories:

In addition, Oracle Internet Directory installation includes schema elements that enable specific Oracle products to use Oracle Internet Directory. For information about these schema elements, see the documentation for the specific Oracle product.

SSL

Note:
These attribute values are stored as part of configuration entries.

Attributes

orclsslAuthentication, orclsslEnable, 'orclsslWalletURL, orclsslWalletPasswd, orclsslPort, orclsslVersion

Audit Log

Attributes

orclServerEvent, orcleventtype, orclauditattribute, orclauditmessage, orcleventtime, orcluserdn, orclSequence, orclAuditLevel, orclOpResult

Object class

OrclAuditOC

Configuration Set Entry Attributes

The following table lists and describes the entire set of configuration set entry attributes that are used to configure an instance of a directory server.

Parameter Description

orcldebuglevel

Debug level associated with this instance of the server. The default for configset0 is 0. The range is 0 to 65535.

orclmaxcc

Maximum number of concurrent database connections. The default for configset0 is 10. You cannot use a negative value for this attribute.

orclserverprocs

Number of server processes to start. The default for configset0 is 1. You cannot use a negative value for this attribute.

orclsslport

SSL mode default port (default 636). When you run the directory in the secure mode, it listens at default port 636 and accepts only SSL-based TCP/IP connections. (When you run the directory in the normal mode, it listens at default port 389, accepting normal TCP/IP connections.) You might want to change this port when you add multiple LDAP server instances.

orclnonsslport

Non-SSL mode default port (default 389).

orclsslenable

Flag for toggling SSL on and off. You would want to toggle this flag when you use different instances of the same server for either SSL or non-SSL. You may use either of the following two values:

0 = disables SSL (default in configuration set0)

1 = enables SSL

The default is 0.

orclsslauthentication

Flag, with values of 1, 32, or 64, for specifying the type of authentication you elect to use for each instance of the Oracle directory server. The default value, 1, specifies no authentication. You can run different values concurrently for different instances. Values of one-way and two-way authentication require wallets. You may use one of the following three values:

1 = no SSL authentication

32 = one-way SSL authentication (the server sends its certificate to the client)

64 = two-way SSL authentication (client and server send certificates to each other)

orclsslwalleturl

Sets the location of the Oracle wallet. You initially set this value when you create the wallet. If you elect to change the location of the Oracle wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on Solaris, you could set this parameter as follows:
orclsslwalleturl=file:/Home/my_dir/

On Windows NT, you could set this parameter as follows:
file:Home\my_dir\

orclsslwalletpasswd

Password used by the server to open its wallet. You initially set this value when you create the wallet. If you elect to change the wallet password, you must change this parameter. You must set the wallet password on both the client and the server.

orclsslversion

SSL version. The default is 3.

Parameter	Description
`orcldebuglevel`	Debug level associated with this instance of the server. The default for configset0 is 0. The range is 0 to 65535.
`orclmaxcc`	Maximum number of concurrent database connections. The default for configset0 is 10. You cannot use a negative value for this attribute.
`orclserverprocs`	Number of server processes to start. The default for configset0 is 1. You cannot use a negative value for this attribute.
`orclsslport`	SSL mode default port (default 636). When you run the directory in the secure mode, it listens at default port 636 and accepts only SSL-based TCP/IP connections. (When you run the directory in the normal mode, it listens at default port 389, accepting normal TCP/IP connections.) You might want to change this port when you add multiple LDAP server instances.
`orclnonsslport`	Non-SSL mode default port (default 389).
`orclsslenable`	Flag for toggling SSL on and off. You would want to toggle this flag when you use different instances of the same server for either SSL or non-SSL. You may use either of the following two values: 0 = disables SSL (default in configuration set0) 1 = enables SSL The default is 0.
`orclsslauthentication`	Flag, with values of 1, 32, or 64, for specifying the type of authentication you elect to use for each instance of the Oracle directory server. The default value, 1, specifies no authentication. You can run different values concurrently for different instances. Values of one-way and two-way authentication require wallets. You may use one of the following three values: 1 = no SSL authentication 32 = one-way SSL authentication (the server sends its certificate to the client) 64 = two-way SSL authentication (client and server send certificates to each other)
`orclsslwalleturl`	Sets the location of the Oracle wallet. You initially set this value when you create the wallet. If you elect to change the location of the Oracle wallet, you must change this parameter. You must set the wallet location on both the client and the server. For example, on Solaris, you could set this parameter as follows: orclsslwalleturl=file:/Home/my_dir/ On Windows NT, you could set this parameter as follows: file:Home\my_dir\
`orclsslwalletpasswd`	Password used by the server to open its wallet. You initially set this value when you create the wallet. If you elect to change the wallet password, you must change this parameter. You must set the wallet password on both the client and the server.
`orclsslversion`	SSL version. The default is 3.

See Also:

"Setting Debug Logging Levels by Using the OID Control Utility" for information on debug levels

Appendix C, "Using Oracle Wallet Manager" for information on setting the location of the Oracle Wallet and the Oracle Wallet password

LDAP Syntax

Syntax defines the type of values that an attribute can hold. Oracle Internet Directory recognizes most of the syntax specified in RFC 2252, that is, it allows you to associate most of the syntax described in that document with an attribute. In addition to recognizing most LDAP syntax, Oracle Internet Directory enforces some LDAP syntax.

This section covers topics in the following subsections:

LDAP Syntax Enforced by Oracle Internet Directory

Oracle Internet Directory enforces LDAP syntax for the following:

DN
Facsimile Telephone Number
OID (object identifier)
Telephone Number

Note:
The values you specify for these attributes must conform to the syntax specified in RFC 2252.

Commonly Used LDAP Syntax Recognized by Oracle Internet Directory

The following LDAP syntax is more commonly used:

Attribute Type Description

Numeric String

Boolean

Object Class Description

Certificate

Octet String

Directory String

OID

DN

Presentation Address

Facsimile Telephone Number

Printable String

INTEGER

Telephone Number

JPEG

UTC Time

Name And Optional UID

Additional LDAP Syntax Recognized by Oracle Internet Directory

In addition to the commonly used LDAP syntax defined above, Oracle Internet Directory recognizes LDAP syntax for the following:

Access Point

LDAP Schema Description

ACI Item

LDAP Syntax Description

Audio

Mail Preference

Binary

Master And Shadow Access Points

Bit String

Matching Rule

Certificate List

Matching Rule Use Description

Certificate Pair

MHS OR Address

Country String

Modify Rights

Data Quality Syntax

Name Form Description

Delivery Method

Object Class Description

DIT Content Rule Description

Octet String

DIT Structure Rule Description

Other Mailbox

DL Submit Permission

Postal Address

DSA Quality Syntax

Protocol Information

DSE Type

Substring Assertion

Enhanced Guide

Subtree Specification

Fax

Supplier And Consumer

Generalized Time

Supplier Information

Guide

Supplier Or Consumer

IA5 String

Supported Algorithm

LDAP Schema Definition

Teletex TerminalIdentifier

Telex Number

Size of Attribute Values

Syntax does not put any specific size constraint on attribute values. You can, however, use syntax to specify the size of the attribute value. Oracle Internet Directory does not enforce the 'len' characteristics on the attribute.

For example, to limit an attribute foo to a size of 64, you would define the attribute as follows:

(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 
'object_identifier_of_syntax{64}')

See Also:
Section 4.1.6 f of RFC2251 for more information on Attribute Value. You can find this RFC at the following URL: http://www.ietf.org/rfc/rfc2251.txt.

Matching Rules

Oracle Internet Directory recognizes the following matching rules definitions in the schema.

accessDirectiveMatch

IntegerMatch

bitStringMatch

numericStringMatch

caseExactMatch

objectIdentifierFirstComponentMatch

caseExactIA5Match

ObjectIdentifierMatch

caseIgnoreIA5Match

OctetStringMatch

caseIgnoreListMatch

presentationAddressMatch

caseIgnoreMatch

protocolInformationMatch

caseIgnoreOrderingMatch

telephoneNumberMatch

distinguishedNameMatch

uniqueMemberMatch

generalizedTimeMatch

generalizedTimeOrderingMatch

Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:

DistinguishedNameMatch

caseExactMatch

caseIgnoreMatch

numericStringMatch

IntegerMatch

telephoneNumberMatch

Draft:	"Definition of the inetOrgPerson LDAP Object Class"
URL:	http://ietf.org/internet-drafts/draft-smith-ldap-inetorgperson-03.txt

Draft:	"Referrals and Knowledge References in LDAP Directories"
URL:	http://www.ietf.org/internet-drafts/draft-ietf-ldapext-knowledge-00.txt

Attributes	`orclEntryLevelACI, orclACI`
Object Class	`orclPrivilegeGroup`

Attributes	`orclGUID, changeNumber changeType, changes, orclParentGUID, server, supplier, consumer, orclReplBindDN, orclReplBindPassword, changeLog, changeStatus, orclChangeRetryCount, orclPurgeSchedule, orclDirReplGroupAgreement, orclAgreementId, orclSupplierReference,orclConsumerReference, orclReplicationProtocol, orclUpdateSchedule, targetDN, orclExcludedNamingcontexts, orclDirReplGroupDSAs`
Object class	changeLogEntry, changeStatusEntry, orclReplAgreementEntry

Attributes	`orclDebugLevel, orclMaxCC, orclDBType, orclSuffix, orclDITRoot, orclSuName, orclSuPassword, orclSizeLimit, orclTimeLimit, orclGuName, orclGuPassword, orclServerProcs, orclconfigsetnumber, orclhostname, orclIndexedAttribute, orclCatalogEntryDN, orclServerMode, orclPrName, orclPrPassword, orclUseEncrypt, orclDirectoryVersion`
Object class	`subconfig, orclConfigSet, orclLDAPSubConfig, orclREPLSubConfig, orclcontainerOC, subregistry, orclLDAPInstance, orclREPLInstance, orclIndexOC, orcleventLog, orclEvents`

Attributes	`orclServerEvent, orcleventtype, orclauditattribute, orclauditmessage, orcleventtime, orcluserdn, orclSequence, orclAuditLevel, orclOpResult`
Object class	`OrclAuditOC`

Attribute Type Description	Numeric String
Boolean	Object Class Description
Certificate	Octet String
Directory String	OID
DN	Presentation Address
Facsimile Telephone Number	Printable String
INTEGER	Telephone Number
JPEG	UTC Time
Name And Optional UID

Access Point	LDAP Schema Description
ACI Item	LDAP Syntax Description
Audio	Mail Preference
Binary	Master And Shadow Access Points
Bit String	Matching Rule
Certificate List	Matching Rule Use Description
Certificate Pair	MHS OR Address
Country String	Modify Rights
Data Quality Syntax	Name Form Description
Delivery Method	Object Class Description
DIT Content Rule Description	Octet String
DIT Structure Rule Description	Other Mailbox
DL Submit Permission	Postal Address
DSA Quality Syntax	Protocol Information
DSE Type	Substring Assertion
Enhanced Guide	Subtree Specification
Fax	Supplier And Consumer
Generalized Time	Supplier Information
Guide	Supplier Or Consumer
IA5 String	Supported Algorithm
LDAP Schema Definition	Teletex TerminalIdentifier
	Telex Number

accessDirectiveMatch	IntegerMatch
bitStringMatch	numericStringMatch
caseExactMatch	objectIdentifierFirstComponentMatch
caseExactIA5Match	ObjectIdentifierMatch
caseIgnoreIA5Match	OctetStringMatch
caseIgnoreListMatch	presentationAddressMatch
caseIgnoreMatch	protocolInformationMatch
caseIgnoreOrderingMatch	telephoneNumberMatch
distinguishedNameMatch	uniqueMemberMatch
generalizedTimeMatch
generalizedTimeOrderingMatch

E Schema Elements