Product SiteDocumentation Site

Chapter 8. Managing the Directory Schema

8.1. Overview of Schema
8.1.1. Default Schema Files
8.1.2. Object Classes
8.1.3. Attributes
8.1.4. Extending the Schema
8.1.5. Schema Replication
8.2. Managing Object Identifiers
8.3. Directory Server Attribute Syntaxes
8.4. Managing Custom Schema in the Console
8.4.1. Viewing Attributes and Object Classes
8.4.2. Creating Attributes
8.4.3. Creating Object Classes
8.4.4. Editing Custom Schema Elements
8.4.5. Deleting Schema
8.5. Managing Schema Using ldapmodify
8.5.1. Creating Attributes
8.5.2. Creating Object Classes
8.5.3. Deleting Schema
8.6. Creating Custom Schema Files
8.7. Dynamically Reloading Schema
8.7.1. Reloading Schema Using schema-reload.pl
8.7.2. Reloading Schema Using ldapmodify
8.7.3. Reloading Schema with Replication
8.7.4. Schema Reload Errors
8.8. Turning Schema Checking On and Off
8.9. Using Syntax Validation
8.9.1. About Syntax Validation
8.9.2. Syntax Validation and Other Directory Server Operations
8.9.3. Enabling or Disabling Syntax Validation
8.9.4. Enabling Strict Syntax Validation for DNs
8.9.5. Enabling Syntax Validation Warnings (Logging)
8.9.6. Validating the Syntax of Existing Attribute Values
Red Hat Directory Server comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most deployments' requirements, it can be necessary to extend the schema for specific directory data. Extending the schema is done by creating new object classes and attributes.
The Directory Server Schema Reference is a references for most the standard Directory Server attributes and object classes, with information on allowed and required attributes, which object classes take which attribute, and OID and value information. This is a good resource for identifying useful schema elements for a directory and determining what custom schema needs to be created.

8.1. Overview of Schema

The directory schema is a set of rules that defines how data can be stored in the directory. Directory information is stored discrete entries, and each entry is comprised of a set of attributes and their values. The kind of identity being described in the entry is defined in the entry's object classes. An object class specifies the kind of object the entry describes through the defined set of attributes for the object class.
In LDAP, an object class defines the set of attributes that can be used to define an entry. The LDAP standard provides object classes for many common types of entries, including people, groups, locations, organizations and divisions, and equipment. The identity is described in a directory entries with attributes and their values, pairs are called attribute-value assertions or AVAs. Any piece of information in the directory is associated with a descriptive attribute. Other aspects of the Directory Server configuration, including matching rules and LDAP controls, are also defined in the schema. All of these together are schema elements.
Every schema element is identified by a unique, dot-separated number. This is called the object identifier or OID.

8.1.1. Default Schema Files

The schema for Directory Server is defined in several different schema files (LDIF files which define schema elements). The Directory Server schema files are instance-specific and are located in the /etc/dirsrv/slapd-instance_name/schema directory. There is also a common /etc/dirsrv/schema directory; the files in this directory are used as templates for new Directory Server instances. Putting custom schema in the /etc/dirsrv/schema directory means that it is automatically included with any new instances.
The default schema files are listed and described in the Schema Reference, which also describes the common standard attributes and object classes. The attributes used by the Directory Server to perform operations and manage entries is described with other configuration settings in the Configuration and Command-Line Tool Reference.

8.1.2. Object Classes

In LDAP, an object class defines the set of attributes that can be used to define an entry. The LDAP standard provides object classes for many common types of entries, such as people (person and inetOrgPerson), groups (groupOfUniqueNames), locations (locality), organizations and divisions (organization and organizationalUnit), and equipment (device).
In a schema file, an object class is identified by the objectclasses line, then followed by its OID, name, a description, its direct superior object class (an object class which is required to be used in conjunction with the object class and which shares its attributes with this object class), and the list of required (MUST) and allowed (MAY) attributes.
This is shown in Example 8.1, “person Object Class Schema Entry”.
Example 8.1. person Object Class Schema Entry
objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )

Every object class defines a number of required attributes and of allowed attributes. Required attributes must be present in entries using the specified object class, while allowed attributes are permissible and available for the entry to use, but are not required for the entry to be valid.
As in Example 8.1, “person Object Class Schema Entry”, the person object class requires the cn, sn, and objectClass attributes and allows the description, seeAlso, telephoneNumber, and userPassword attributes.
An object class can inherit attributes from another class, in addition to its own required and allowed attributes. The second object class is the superior or parent object class of the first.
For example, a user's entry has to have the inetOrgPerson object class. In that case, the entry must also include the superior object class for inetOrgPerson, organizationalPerson, and the superior object class for organizationalPerson, which is person: 
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

8.1.3. Attributes

Directory entries are composed of attributes and their values. These pairs are called attribute-value assertions or AVAs. Any piece of information in the directory is associated with a descriptive attribute. For instance, the cn attribute is used to store a person's full name, such as cn: John Smith.
Additional attributes can supply additional information about John Smith: 
givenname: John
surname: Smith
mail: jsmith@example.com
In a schema file, an attribute is identified by the attributetypes line, then followed by its OID, name, a description, syntax (allowed format for its value), optionally whether the attribute is single- or multi-valued, and where the attribute is defined.
This is shown in Example 8.2, “description Attribute Schema Entry”.
Example 8.2. description Attribute Schema Entry
attributetypes: ( 2.5.4.13 NAME 'description' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2256' )

8.1.4. Extending the Schema

New, custom attributes and object classes can be added to a Directory Server instance to extend the schema, and there are several ways to add schema elements. Using the Directory Server Console or LDAP tools adds schema elements to the default custom schema file for an instance, 99user.ldif. It is also possible to create a new, separate schema file and include it with the default schema files.
Adding new schema elements requires three things:
  1. Planning and defining OIDs for the new schema. Schema elements are recognized by the server by their OID, so it is important for the OIDs to be unique and organized. Directory Server itself does not manage OIDs, but there are some best practices described in Section 8.2, “Managing Object Identifiers”.
  2. Create the new attributes. Attribute definitions require a name, a syntax (the allowed format of the values), an OID, and a description of whether the attribute can only be used once per entry or multiple times.
  3. Create an object class to contain the new attributes. An object class lists the required attributes for that entry type and the allowed (permissible) attributes. Because the default schema should never be altered, if any new attributes are created, then they should be added to a custom object class.
The schema elements should be planned in advance; do not use multiple attributes for the same information. Whenever possible, use the standard Directory Server schema. Directory Server has hundreds of attributes and dozens of object classes defined in the default schema files. The Directory Server Schema Reference lists and describes the standard attributes and object classes; all of the schema can be viewed in the Directory Server Console or read in the schema files in /etc/dirsrv/slapd-instance_name/schema. Become familiar with the available schema; then plan what information attributes are missing and how best to fill those gaps with custom attributes. Planning the schema is covered in the Deployment Guide.

CAUTION

The default object classes and attributes in Directory Server are based on LDAP and X.500 standards and RFCs. Using standard schema makes the Directory Server more easily integrated with other applications and servers and allows interoperability with LDAP clients, legacy Directory Server instances, and future release. It is inadvisable for you to edit the standard attributes or change the object classes.
Keep the following rules in mind when customizing the Directory Server schema:
  • Keep the schema as simple as possible.
  • Reuse existing schema elements whenever possible.
  • Minimize the number of mandatory attributes defined for each object class.
  • Do not define more than one object class or attribute for the same purpose.
  • Do not modify any existing definitions of attributes or object classes.

NOTE

Never delete or replace the standard schema. Doing so can lead to compatibility problems with other directories or other LDAP client applications.
The schema is loaded into the Directory Server instance when the instance is started; any new schema files are not loaded until the Directory Server is restarted or unless a reload task is initiated. Always, any custom schema is loaded before the standard schema.

8.1.5. Schema Replication

Schema elements are replicated by default whenever the schema is changed in the Directory Server Console or through ldapmodify because the changes are logged in the server change log. However, replicated schema elements are all copied to 99user.ldif regardless of what schema file held the schema on the supplier server, so replication can lead to multiple files defining the same schema.
To keep from having duplicate schema definitions in multiple files, and for the easiest maintenance of the schema, keep all custom schema in the default custom schema file, 99user.ldif in /etc/dirsrv/slapd-instance_name/schema.
When new schema files are added to the server and loaded dynamically into the Directory Server, the schema is only loaded locally because the schema reload operation is a local task. Since the changes do not show up in the changelog, these newly-loaded schema files are not replicated. In order to load those schema files on any other servers, the schema has to be copied over, and then a local reload task has to be run.