Chapter 3. Designing the directory schema

The schema format of Directory Server is built on version 3 of the LDAP protocol. This protocol requires Directory Server to publish their schema through LDAP itself allowing directory client applications to retrieve the schema programmatically and adapt their behavior. You can find the global set of schema for Directory Server in the cn=schema entry.

The Directory Server schema is different from the LDAPv3 schema, because it uses its proprietary object classes and attributes. Additionally, it uses a private field in the schema entries called X-ORIGIN 389 Directory Server which describes where the schema entry was defined originally.

When you define a schema entry in the standard LDAPv3 schema, the X-ORIGIN 389 Directory Server field refers to RFC 2252. If the entry is defined by Red Hat for the Directory Server’s use, the X-ORIGIN 389 Directory Server field contains the value 389 Directory Server. For example, the standard person object class appears in the schema:

# objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard Person Object Class' SUP top
MUST (objectclass $ sn $ cn) MAY (description $ seeAlso $ telephoneNumber $ userPassword)
X-ORIGIN 'RFC 2252' )

This schema entry states:

Attributes contain specific data elements such as a name or a fax number. Directory Server represents data as attribute-data pairs which is a descriptive schema attribute associated with a specific piece of information. These are also called attribute-value assertions or AVAs.

For example, the directory can store a piece of data, such as a person’s name, in a pair with the standard attribute. An entry for a person named Babs Jensen has the attribute-data pair cn: Babs Jensen.

The entire entry is represented as a series of attribute-data pairs. The entire entry for Babs Jensen is as follows:

dn: uid=bjensen,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Babs Jensen
sn: Jensen
givenName: Babs
givenName: Barbara
mail: bjensen@example.com

Each attribute definition in the schema contains the following information:

The cn attribute definition appears in the schema as follows:

attributetypes: ( 2.5.4.3 NAME 'cn' DESC 'commonName Standard Attribute'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

Using the attribute’s syntax, you can define the format of the values that can be stored in the attribute. The Directory Server supports all standard attribute syntaxes.

An object class represents a real object, such as a person or a fax machine. It is used to group related information. You must identify an object class and its attributes in the schema before you use the object classes. The directory recognizes a standard list of object classes by default.

Each directory entry belongs to at least one object classes. When you place an object class identified in the schema on an entry, it informs the Directory Server that the entry can have a specific set of attribute values and must have another smaller set of required attribute values.

The following information is available in object class definitions:

The standard person object class in the schema:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard Person Object Class' SUP top
     MUST (objectclass $ sn $ cn) MAY (description $ seeAlso $ telephoneNumber $ userPassword)
     X-ORIGIN 'RFC 2252' )

You can map the data identified in the site survey to the existing directory schema. This process involves the following steps:

Sometimes, a piece of data can describe multiple objects. Determine if the difference needs to be noted in the directory schema. For example, a telephone number can describe an employee’s telephone number and a conference room’s telephone number. Determine if these different sorts of data need to be considered different objects in the directory schema.

You must assign a unique name and object identifier (OID) for each LDAP object class or attribute. When you define a schema,the elements require a base OID unique to your organization. Add another level of hierarchy to create new branches for attributes and object classes. Getting and assigning OIDs in schema involves the following steps:

You can create new object classes in the following two ways:

You can mix the two methods. For example, you want to create the attributes exampleDateOfBirth, examplePreferredOS, exampleBuildingFloor, and exampleVicePresident. A simple solution is to create several object classes that allow some subset of these attributes.

The new object classes appear in LDAPv3 schema format as follows:

objectclasses: ( 2.16.840.1.117370.999.1.2.3 NAME 'examplePerson' DESC 'Example Person Object Class'
     SUP inetorgPerson MAY (exampleDateOfBirth $ examplePreferredOS) )

objectclasses: ( 2.16.840.1.117370.999.1.2.4 NAME 'exampleOrganization' DESC 'Organization Object Class'
     SUP organization MAY (exampleBuildingFloor $ exampleVicePresident) )

Alternatively, you can create a single object class that allows all of these attributes and use it with any entry that needs them. The single object class appears as follows:

objectclasses: (2.16.840.1.117370.999.1.2.5 NAME 'exampleEntry' DESC 'Standard Entry Object Class' SUP top
     AUXILIARY MAY (exampleDateOfBirth $ examplePreferredOS $ exampleBuildingFloor $ exampleVicePresident) )

The new exampleEntry object class is marked AUXILIARY which means that it can be used with any entry regardless of its structural object class.

You can organize new object class depending on the organization environment. Consider the following when you decide on the implementation of the new object classes:

You must use standard attributes for both application compatibility and long-term maintenance. You must search the attributes already existing in the default directory schema and use them with a new object class or check the Directory Server schema guide. However, if the standard schema does not contain all the necessary information, add new attributes and new object classes.

For example, a person entry may need more attributes than the person, organizationalPerson, or inetOrgPerson object classes support by default. No attribute exists within the standard Directory Server schema to store birth dates. You can create and set a new attribute, dateOfBirth as an allowed attribute within a new auxiliary object class, examplePerson:

attributetypes: ( dateofbirth-oid NAME 'dateofbirth' DESC 'For employee birthdays'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Example defined')

objectclasses: ( 2.16.840.1.117370.999.1.2.3 NAME 'examplePerson' DESC 'Example Person Object Class'
     SUP inetorgPerson MAY (exampleDateOfBirth $ cn) X-ORIGIN 'Example defined')

You cannot delete the schema elements included by default in Directory Server. Unused schema elements represent no operational or administrative overhead. Deleting parts of the standard LDAP schema it can cause compatibility problems with future installations of Directory Server and other directory-enabled applications.

You can, however, delete the unused custom schema elements. Before removing the object class definitions from the schema, modify each entry using the object class. Removing the definition first might prevent the entries that use the object class from being modified later. The schema checks on modified entries also fails unless the unknown object class values are removed from the entry.

You can create custom schema files for the Directory Server to use it in addition to the 99user.ldif file provided with Directory Server. These schema files have new, custom attributes and object classes specific to the organization. The new schema files are located in the schema directory, /etc/dirsrv/slapd-instance_name/schema/. All standard attributes and object classes are loaded only after custom schema elements have been loaded.

After you create the custom schema files, the schema changes can be distributed among all servers in the following way:

When you do not copy these custom schema files to all of the servers, the schema information is only replicated to the consumer server when changes are made to the schema on the supplier server. When the schema definitions are replicated to a consumer server where they do not already exist, they are stored in the 99user.ldif file.

Following suggestions help you to define a compatible and manageable custom schema.

When naming custom schema files, use the following naming format: [00-99]yourName.ldif.

If the custom schema elements are added directly to the 99user.ldif manually, use 'user defined' as the value of X-ORIGIN. If a different X-ORIGIN value is set, the server simply may overwrites it.

Using an X-ORIGIN of value 'user defined' prevents removing schema definitions in the 99user.ldif file by the Directory Server.

For example:

attributetypes: ( exampleContact-oid NAME 'exampleContact'
DESC 'Example Corporate contact'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Example defined')

After the Directory Server loads the schema entry, it appears as follows:

attributetypes: ( exampleContact-oid NAME 'exampleContact'
DESC 'Example Corporate contact'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN ('Example defined' 'user defined') )

Schema checking validates that all new or modified directory entries conform to the schema rules. By default, directory enables schema checking. When the rules are violated, the directory rejects the requested change.

When schema checking is enabled, you must pay attention to required and allowed attributes as defined by the object classes. The Directory Server can return an object class violation message when you add an attribute to an entry that is neither required nor allowed according to the entry’s object class definition.

For example, if an entry is defined to use the organizationalPerson object class, then the common name (cn) and surname (sn) attributes are required for the entry. The values for these attributes must be set when the entry is created. In addition, there is a long list of attributes that can optionally be used on the entry, including descriptive attributes like telephoneNumber, uid, streetAddress, and userPassword.

Syntax validation means the Directory Server validates that the value of an attribute matches the required syntax for that attribute. For example, syntax validation can confirm that a new telephoneNumber attribute has a valid telephone number for its value. It is enabled by default.

You can optionally configure additional settings for syntax validation to log warning messages about syntax violations and then either reject the modification or allow the modification process to succeed.

Syntax validation checks the LDAP operations if a new attribute value is added. It does not process existing attributes or attributes added through database operations like replication. Existing attributes can be validated using the dsconf schema validate-syntax command.

This feature validates all attribute syntaxes except the binary syntaxes and non-standard syntaxes, which do not have a defined required format. The syntaxes are validated against RFC 4514, except for DNs, which are validated against the less strict RFC 1779 or RFC 2253.

You can place data with attribute value by using LDAP schema. However, it is important to store data consistently in the directory tree by selecting a format appropriate for the LDAP client applications and directory users.

You can represent data in the data formats specified in RFC 2252 by using the LDAP protocol and Directory Server. For example, the correct LDAP format for telephone numbers is defined in two ITU-T recommendations documents:

As another example, the postalAddress attribute has an attribute value in the form of a multi-line string that uses dollar signs ($) as line delimiters. A properly formatted directory entry appears as follows:

postalAddress: 1206 Directory Drive$Pleasant View, MN$34200

The changes are recorded in the changelog when you edit the directory schema. During replication, the changelog is scanned for changes and if any changes are being replicated. Maintaining consistency in replicated schema allows replication to continue without any error.

Consider the following points for maintaining consistent schema in a replicated environment: