Schema Specification(模式说明)
This chapter describes how to extend the user schema used by slapd(8). The chapter assumes the reader is familar with the LDAP/X.500 information model.
本章描述了如何扩展用于 slapd 的用户模式。本章假设读者已经熟悉 LDAP/X.500 信息模式。
The first section, Distributed Schema Files details optional schema definitions provided in the distribution and where to obtain other definitions. The second section, Extending Schema, details how to define new schema items.
第一部分:已发布的模式文件详述了在发布中提供的可选模式定义以及在何处可以获得其他定义。第二部分:扩展模式详述了如何定义新模式项。
This chapter does not discuss how to extend system schema used by slapd(8) as this requires source code modification. System schema includes all operational attribute types or any object class which allows or requires an operational attribute (directly or indirectly).
本章不讨论如何扩展用于 slapd 的系统模式,这要求修改原代码。系统模式包括所有的操作属性类型,以及任何允许或要求操作属性(直接或间接)的对象类。
Distributed Schema Files(已发布的模式文件)
Table 8.1: Provided Schema Specifications
File | Description |
core.schema | OpenLDAP core (required) |
cosine.schema | Cosine and Internet X.500 (useful) |
inetorgperson.schema | InetOrgPerson (useful) |
misc.schema | Assorted (experimental) |
nis.schema | Network Information Services (FYI) |
openldap.schema | OpenLDAP Project (experimental) |
# include schema
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
Additional files may be available. Please consult the OpenLDAP FAQ (http://www.openldap.org/faq/).
也可以获得其他的文件。请参考 OpenLDAP FAQ(http://www.openldap.org/faq/)。
Note: You should not modify any of the schema items defined in provided files.
注意:您不应该修改所提供文件中任何模式项的定义。
Extending Schema(扩展模式)
There are five steps to defining new schema:
定义新的模式有五步:
- obtain Object Identifer(获得对象标识符)
- choose a name prefix(选择名称前缀)
- create local schema file(创建本地模式文件)
- define custom attribute types (if necessary)(如果需要的话定义自定义属性类型)
- define custom object classes(定义自定义对象类)
Object Identifiers(对象标识符)
Table 8.2: Example OID hierarchy
OID | Assignment |
1.1 | Organization's OID |
1.1.1 | SNMP Elements |
1.1.2 | LDAP Elements |
1.1.2.1 | AttributeTypes |
1.1.2.1.1 | myAttribute |
1.1.2.2 | ObjectClasses |
1.1.2.2.1 | myObjectClass |
You are, of course, free to design a hierarchy suitable to your organizational needs under your organization's OID. No matter what hierarchy you choose, you should maintain a registry of assignments you make. This can be a simple flat file or something more sophisticated such as the OpenLDAP OID Registry (http://www.openldap.org/faq/index.cgi?file=197).
当然您可以在您组织的 OID 下自由设计适合您组织所需的层次。无论您选择的层次如何,您都应该维护一个您所做的分配注册表。它可以是一个简单的纯文本文件或是更加复杂的东西如 OpenLDAP OID 注册表 (http://www.openldap.org/faq/index.cgi?file=197)。
For more information about Object Identifers (and a listing service) see http://www.alvestrand.no/harald/objectid/.
要得到更多关于对象标识符的信息(和所列的服务)请参见 http://www.alvestrand.no/harald/objectid/ 。
Under no circumstances should you hijack OID namespace!
在任何情况下您都不要使用伪造的 OID 名字空间!
To obtain a registered OID at no cost, apply for an OID under the Internet Assigned Numbers Authority (IANA) maintained Private Enterprise arc. Any private enterprise (organization) may request an OID to be assigned under this arc. Just fill out the IANA form at http://www.iana.org/cgi-bin/enterprise.pl and your official OID will be sent to you usually within a few days. Your base OID will be something like 1.3.6.1.4.1.X where X is an integer.
为了免费得到注册的 OID,可以向维护 Private Enterprise arch 的 Internet Assigned Numbers Authority (IANA) 申请一个 OID。任何私有企业(组织)都可以申请在该 arc 下 OID。只需填写在 http://www.iana.org/cgi-bin/enterprise.pl 中的 IANA 表单,一般在几天之後您的官方 OID 将被发送给您。您的基 OID 将会是如 1.3.6.1.4.1.X 其中 X 是个整数。
Note: Don't let the "MIB/SNMP" statement on the IANA page confuse you. OIDs obtained using this form may be used for any purpose including identifying LDAP schema elements.
注意:不要让 IANA 页面上的 "MIB/SNMP" 声明迷惑您。用这个表单获得的 OID 可以用于任何目的,包括标识 LDAP 模式元素。
Alternatively, OID name space may be available from a national authority (e.g., ANSI, BSI).
此外,OID 名称空间也可以来自国家级的权威机构(如 ANSI、BSI)。
Name Prefix(名称前缀)
In addition to assigning a unique object identifier to each schema element, you should provide a least one textual name for each element. The name should be both descriptive and not likely to clash with names of other schema elements. In particular, any name you choose should not clash with present or future Standard Track names.
除了为每个模式元素分配一个唯一的对象标识符之外,您还应该为每个元素提供至少一个文本名。该名称应该即有描述性又不会与其他模式元素冲突。尤其是您所选的任何名称都不应该与已使用或将要使用的标准路径名(Standard Track name)。
To reduce (but not eliminate) the potential for name clashes, the convention is to prefix names of non-Standard Track with a few letters to localize the changes to your organization. The smaller the organization, the longer your prefix should be.
要减少(但不是消除)潜在的名称冲突,通常是在非标准路径名前增加几个字母的前缀来定位您组织名的改变。组织名越短,您的前缀就应该越长。
In the examples below, we have chosen a short prefix 'my' (to save space). Such a short prefix would only be suitable for a very large, global organization. In general, we recommend something like 'deFirm' (German company) or 'comExample' (elements associated with organization associated with example.com).
在下面的示例中,我们选择短前缀 'my' (为了节省空间)。这么短的前缀只适用于非常大型的、全球性的组织。通常情况下,我们推荐象 'deFirm' (德国公司)或 'comExample' (与 example.com 组织相关的元素)。
Local schema file(本地模式文件)
The objectclass and attributeTypes configuration file directives can be used to define schema rules on entries in the directory. It is customary to create a file to contain definitions of your custom schema items. We recommend you create a file local.schema in /usr/local/etc/openldap/schema/local.schema and then include this file in your slapd.conf(5) file immediately after other schema include directives.
objectclass 和 attributeTypes 配置文件指令可以被用来定义目录中条目的模式规则。习惯是创建一个包含您定制模式项定义的文件。我们建议您在 /usr/local/etc/openldap/schema/ 目录中创建 local.schema 文件,然後将该文件包含在您 slapd.conf(5) 文件中其他 schema 包含指令之後。
# include schema
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# include local schema
include /usr/local/etc/openldap/schema/local.schema
Attribute Type Specification(属性类型定义)
attributetype <RFC2252 Attribute Type Description>
AttributeTypeDescription = "(" whsp
numericoid whsp ; AttributeType identifier
[ "NAME" qdescrs ] ; name used in AttributeType
[ "DESC" qdstring ] ; description
[ "OBSOLETE" whsp ]
[ "SUP" woid ] ; derived from this other
; AttributeType
[ "EQUALITY" woid ; Matching Rule name
[ "ORDERING" woid ; Matching Rule name
[ "SUBSTR" woid ] ; Matching Rule name
[ "SYNTAX" whsp noidlen whsp ] ; Syntax OID
[ "SINGLE-VALUE" whsp ] ; default multi-valued
[ "COLLECTIVE" whsp ] ; default not collective
[ "NO-USER-MODIFICATION" whsp ]; default user modifiable
[ "USAGE" whsp AttributeUsage ]; default userApplications
whsp ")"
AttributeUsage =
"userApplications" /
"directoryOperation" /
"distributedOperation" / ; DSA-shared
"dSAOperation" ; DSA-specific, value depends on server
attributeType ( 2.5.4.41 NAME 'name'
DESC 'name(s) associated with the object'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributeType ( 2.5.4.3 NAME ( 'cn' 'commonName' )
DESC 'common name(s) assciated with the object'
SUP name )
Table 8.3: Commonly Used Syntaxes(常用语法)
Name | OID | Description |
boolean | 1.3.6.1.4.1.1466.115.121.1.7 | boolean value |
directoryString | 1.3.6.1.4.1.1466.115.121.1.15 | Unicode (UTF-8) string |
distinguishedName | 1.3.6.1.4.1.1466.115.121.1.12 | LDAP DN |
integer | 1.3.6.1.4.1.1466.115.121.1.27 | integer |
numericString | 1.3.6.1.4.1.1466.115.121.1.36 | numeric string |
OID | 1.3.6.1.4.1.1466.115.121.1.38 | object identifier |
octetString | 1.3.6.1.4.1.1466.115.121.1.40 | arbitary octets |
Table 8.4: Commonly Used Matching Rules(常用匹配规则)
Name | Type | Description |
booleanMatch | equality | boolean |
caseIgnoreMatch | equality | case insensitive, space insensitive |
caseIgnoreOrderingMatch | ordering | case insensitive, space insensitive |
caseIgnoreSubstringsMatch | substrings | case insensitive, space insensitive |
caseExactMatch | equality | case sensitive, space insensitive |
caseExactOrderingMatch | ordering | case sensitive, space insensitive |
caseExactSubstringsMatch | substrings | case sensitive, space insensitive |
distinguishedNameMatch | equality | distinguished name |
integerMatch | equality | integer |
integerOrderingMatch | ordering | integer |
numericStringMatch | equality | numerical |
numericStringOrderingMatch | ordering | numerical |
numericStringSubstringsMatch | substrings | numerical |
octetStringMatch | equality | octet string |
octetStringOrderingStringMatch | ordering | octet string |
octetStringSubstringsStringMatch | ordering | octet string |
objectIdentiferMatch | equality | object identifier |
The following subsections provide a couple of examples.
以下内容给出几个示例。
myUniqueName
attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
DESC 'unique name with my organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
DESC 'unique name with my organization'
SUP name )
myPhoto
attributetype ( 1.1.2.1.2 NAME 'myPhoto'
DESC 'a photo (application defined format)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )
attributetype ( 1.1.2.1.3 NAME 'myPhotoURI'
DESC 'URI and optional label referring to a photo'
SUP labeledURI )
Object Class Specification(对象类说明)
objectclass <RFC2252 Object Class Description>
ObjectClassDescription = "(" whsp
numericoid whsp ; ObjectClass identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
[ "SUP" oids ] ; Superior ObjectClasses
[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
; default structural
[ "MUST" oids ] ; AttributeTypes
[ "MAY" oids ] ; AttributeTypes
whsp ")"
myPhotoObject
To define an auxiliary object class which allows myPhoto to be added to any existing entry.
定义一个 auxiliary 对象类以允许在任何已有的条目中添加 myPhoto。
objectclass ( 1.1.2.2.1 NAME 'myPhotoObject'
DESC 'mixin myPhoto'
AUXILIARY
MAY myPhoto )
myPerson
If your organization would like have a private structural object class to instantiate users, you can subclass one of the existing person classes, such as inetOrgPerson (RFC2798), and add any additional attributes which you desire.
如果您的组织想要用一个私有结构对象类来表示用户的话,您可以生成一个已有 person 类的子类,如 inetORgPerson(RFC2798),并添加您所要的附加属性。
objectclass ( 1.1.2.2.2 NAME 'myPerson'
DESC 'my person'
SUP inetOrgPerson
MUST ( myUniqueName $ givenName )
MAY myPhoto )
The object class inherits the required/allowed attribute types of inetOrgPerson but requires myUniqueName and givenName and allows myPhoto.
本对象类继承 inetOrgPerson 所要求/允许的属性类型但要求 myUniqueName 和 givenName,并允许 myPhoto。
OID Macros(OID 宏)
To ease the management and use of OIDs, slapd(8) supports Object Identifier macros. The objectIdentifier directive is used to equate a macro (name) with a OID. The OID may possibly be derived from a previously defined OID macro. The slapd.conf(5) syntax is:
为了便于管理和使用 OID,slapd(8) 支持对象标识符宏。objectIdentifier 指令被用于与 OID 等价的宏(名)。OID 也可以从以前定义的 OID 宏派生。slapd.conf(5) 的语法是:
objectIdentifier <name> { <oid> | <name>[[UbuntuHelp:<suffix>]] }
The following demonstrates definition of a set of OID macros and their use in defining schema elements:
下面展示了一系列的 OID 宏定义以及它们在定义模式元素中的用户。
objectIdentifier myOID 1.1
objectIdentifier mySNMP myOID:1
objectIdentifier myLDAP myOID:2
objectIdentifier myAttributeType myLDAP:1
objectIdentifier myObjectClass myLDAP:2
attributetype ( myAttributeType:3 NAME 'myPhotoURI'
DESC 'URI and optional label referring to a photo'
SUP labeledURI )
objectclass ( myObjectClass:1 NAME 'myPhotoObject'
DESC 'mixin myPhoto'
AUXILIARY
MAY myPhoto )