ldap: information model part 2 cns 4650 fall 2004 rev. 2
TRANSCRIPT
LDAP: Information ModelPart 2
CNS 4650Fall 2004
Rev. 2
LDAP Informational Model
• LDAP represented by entries• Entries belong to one or more object
classes• Object classes is defined by attributes• Attributes consist of a type and one or
more values• Schema defines object classes and
attributes
Attributes Types
• Building blocks of LDAP entries• Attributes types are defined in schema• Attributes Types are built with the following
components:• Name• Object Indentifier (OID)• Syntax• Matching Rules• Inheritence
Name
• Case in-sentitive• Can contain only letters, numbers, dashes,
and semi-colons• Standard convention is single words are lower
case, capitalize the first letter of multiple words (no spaces)
Letters givenNameNumbers x509CertificateDash test-attributeSemicolon x509Certificate;binary
Object Indentifiers (OID)
• ASN.1 Number
• Allow the attribute type to be globally unique
• Allow for different attribute names• Different languages
Syntax Definitions
• Tells the user or server how to handle the data
• LDAP defines a number of different syntaxes• Example
• UID is defined as a string• If an integer is placed in the UID value arithmetic
operations cannot be preformed on that value• The integer is treated as string not a number
• Similar to programming languages
Syntax Definitions
• Syntax have OIDs• Defines the syntaxes across languages• Reduces english dependences
Syntax Definitions
• Basic• Directory String
• Printable unicode strings encoded in UTF-8
• Binary• Non-printable binary data
• Complex• Certificate
• Complex, binary-encoded certificate
• Telephone Number• String, non-numeric content is not searched
Syntax OIDs (RFC 2252)
Attribute Type Description Y 1.3.6.1.4.1.1466.115.121.1.3 Audio N 1.3.6.1.4.1.1466.115.121.1.4 Binary N 1.3.6.1.4.1.1466.115.121.1.5 Bit String Y 1.3.6.1.4.1.1466.115.121.1.6 Boolean Y 1.3.6.1.4.1.1466.115.121.1.7 Certificate N 1.3.6.1.4.1.1466.115.121.1.8 Certificate List N 1.3.6.1.4.1.1466.115.121.1.9 Certificate Pair N 1.3.6.1.4.1.1466.115.121.1.10 Country String Y 1.3.6.1.4.1.1466.115.121.1.11 DN Y 1.3.6.1.4.1.1466.115.121.1.12 Data Quality Syntax Y 1.3.6.1.4.1.1466.115.121.1.13 Delivery Method Y 1.3.6.1.4.1.1466.115.121.1.14 Directory String Y 1.3.6.1.4.1.1466.115.121.1.15 IA5 String Y 1.3.6.1.4.1.1466.115.121.1.26 INTEGER Y 1.3.6.1.4.1.1466.115.121.1.27 JPEG N 1.3.6.1.4.1.1466.115.121.1.28
Syntax Examples
Matching Rules
• Defines how the attribute should be searched
• Number of possible assertions are handled
• LDAP clients do not specify which rule they wish to use, the server decides based on matching rules defined for the attribute
Kinds of Matching Rules
• Equality• Equality between attribute value and assertion
value
• Greater than/Less than• Ordering rules
• Substring• If value is contained inside another value
• Subschema• Value contained inside the schema
Matching Rules (RFC 2252)
2.5.13.1 NAME 'distinguishedNameMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
( 2.5.13.2 NAME 'caseIgnoreMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
( 2.5.13.8 NAME 'numericStringMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
( 2.5.13.11 NAME 'caseIgnoreListMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
( 2.5.13.14 NAME 'integerMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
Matching Rules ( 2.5.13.16 NAME 'bitStringMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
( 2.5.13.20 NAME 'telephoneNumberMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
( 2.5.13.22 NAME 'presentationAddressMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 )
( 2.5.13.23 NAME 'uniqueMemberMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
( 2.5.13.24 NAME 'protocolInformationMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
( 2.5.13.27 NAME 'generalizedTimeMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
Multiple Values
• Attributes can be defined to allow multiple values
• Values are NOT returned in any specific order
Inheritance
• Allows creation of abstract type and reduces redefinition of common types
• Example• name attribute type
• Case insensitive string• Case insensitive match
• commonName, givenName, surName• These attributes have same features as name• No need to redefine syntax and matching rules• sup: name
Object Classes
• Object classes define the attributes of a particular entry
• Object class gives you information on the type of entry• This allows the user to know the attribute the entry
contains
• Every entry has at least one objectClass attribute
Object Class Example
• This entry belongs to three object classes
• A user can figure out what attributes are available for this entry
dn: uid=dansinema,cn=users,dc=apple,dc=eduobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Dan Sinema
Object Class Defined
• Name
• Object Identifier (OID)
• Inheritence
• Class Type
• Required Attribute Types
• Allowed Attribute Types
Object Class Name
• Case-insensitive
• Contains letter, numbers, dashes, semicolon
• Convention is only letters and numbers• All lower case• Multiple words first letter capitalized
Object Class OIDs
• Uniquely identify object class globally
• No real meaning other than to provide uniqueness
Object Class Inheritance
• Very similar to inheritance for attributes types
( 1.3.6.1.4.1.17946.1.2.1 NAME 'cartoon-character' SUP top STRUCTURAL DESC 'Cartoon character and all his/her attributes' MUST ( cn $ cartoon-catchPhrase $ cartoon-homeNetwork ) MAY ( cartoon-biography $ cartoon-tvShow $ cartoon-showTime $cartoon-showDay $cartoon-tvSeasons ) )
Abstract Object Classes
• Never primary object class for any entry
• Used as a superclass
• One defined in LDAP “top”
• Every LDAP object class ultimately extends “top”
Structural Object Classes
• Every entry belongs to at least one structural object class
• Structural classes are the building blocks of LDAP
( 1.3.6.1.4.1.17946.1.2.1 NAME 'cartoon-character' SUP top STRUCTURAL DESC 'Cartoon character and all his/her attributes' MUST ( cn $ cartoon-catchPhrase $ cartoon-homeNetwork ) MAY ( cartoon-biography $ cartoon-tvShow $ cartoon-showTime $cartoon-showDay $cartoon-tvSeasons ) )
Auxiliary Object Class
• Add secondary attributes to entries
• Must be added to entries which belong to at least one structural class
• Often used by organizations to customize objects for their environment