Datenerstbefüllung des OpenLDAP Servers unter CentOS 7.x
Nachdem wir die Grundinstallation des OpenLDAP Servers und die TLS-Absicherung des OpenLDAP-Servers erfolgreich abgeschlossen haben, werden wir im nächsten Schritt unsere Berkely-Datenbank mit Inhalt befüllen und weiter konfigurieren.
Wir werden im ersten Schritt unseren OpenLDAP-Verzeichnisdienst mit Schemen befüllen, die wir im späteren Betrieb benötigen werden. Für die Befüllung mit Nutzdaten, die aus Distinguished Names (DN) und einem eindeutigen Objektnamen bestehen, müssen hierzu in den Directory Information Tree (DIT), einer hierarchischen Baumstruktur eingefügt werden.
Schemata
Grundlegende Informationen zum Thema Schemata finden man im Kapitel 13. Schema Specification des OpenLDAP Software 2.4 Administrator's Guide.
Bei der Installation des RPM-Paketes openldap-servers wurden im Verzeichnis /etc/openldap/schema Vorlagen für die gängisten Schematas abgelegt.
/etc/openldap/schema ├── collective.ldif ├── collective.schema ├── corba.ldif ├── corba.schema ├── core.ldif ├── core.schema ├── cosine.ldif ├── cosine.schema ├── duaconf.ldif ├── duaconf.schema ├── dyngroup.ldif ├── dyngroup.schema ├── inetorgperson.ldif ├── inetorgperson.schema ├── java.ldif ├── java.schema ├── misc.ldif ├── misc.schema ├── nis.ldif ├── nis.schema ├── openldap.ldif ├── openldap.schema ├── pmi.ldif ├── pmi.schema ├── ppolicy.ldif └── ppolicy.schema
Die Beschreibung der Schematas finden sich in den Dateien mit der Endung .schema. Die zugehörigen Dateien mit der Endung .ldif benötigen wir dann beim Import eines Schemas in unseren OpenLDAP-Verzeichnisdienst.
Folgende Schamatas werden wir jetzt nacheinander importieren:
cosine
Im ersten Schritt werden wir nun das Schema cosine importieren. Die Beschreibung des Schemas findet sich in der gleichnamigen Datei /etc/openldap/schema/cosine.schema.
# less /etc/openldap/schema/cosine.schema
- /etc/openldap/schema/cosine.schema
# RFC1274: Cosine and Internet X.500 schema # $OpenLDAP$ ## This work is part of OpenLDAP Software <http://www.openldap.org/>. ## ## Copyright 1998-2014 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## <http://www.OpenLDAP.org/license.html>. # # RFC1274: Cosine and Internet X.500 schema # # This file contains LDAPv3 schema derived from X.500 COSINE "pilot" # schema. As this schema was defined for X.500(89), some # oddities were introduced in the mapping to LDAPv3. The # mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt # (a work in progress) # # Note: It seems that the pilot schema evolved beyond what was # described in RFC1274. However, this document attempts to describes # RFC1274 as published. # # Depends on core.schema # Network Working Group P. Barker # Request for Comments: 1274 S. Kille # University College London # November 1991 # # The COSINE and Internet X.500 Schema # # [trimmed] # # Abstract # # This document suggests an X.500 Directory Schema, or Naming # Architecture, for use in the COSINE and Internet X.500 pilots. The # schema is independent of any specific implementation. As well as # indicating support for the standard object classes and attributes, a # large number of generally useful object classes and attributes are # also defined. An appendix to this document includes a machine # processable version of the schema. # # [trimmed] # 7. Object Identifiers # # Some additional object identifiers are defined for this schema. # These are also reproduced in Appendix C. # # data OBJECT IDENTIFIER ::= {ccitt 9} # pss OBJECT IDENTIFIER ::= {data 2342} # ucl OBJECT IDENTIFIER ::= {pss 19200300} # pilot OBJECT IDENTIFIER ::= {ucl 100} # # pilotAttributeType OBJECT IDENTIFIER ::= {pilot 1} # pilotAttributeSyntax OBJECT IDENTIFIER ::= {pilot 3} # pilotObjectClass OBJECT IDENTIFIER ::= {pilot 4} # pilotGroups OBJECT IDENTIFIER ::= {pilot 10} # # iA5StringSyntax OBJECT IDENTIFIER ::= {pilotAttributeSyntax 4} # caseIgnoreIA5StringSyntax OBJECT IDENTIFIER ::= # {pilotAttributeSyntax 5} # # 8. Object Classes # [relocated after 9] # # 9. Attribute Types # # 9.1. X.500 standard attribute types # # A number of generally useful attribute types are defined in X.520, # and these are supported. Refer to that document for descriptions of # the suggested usage of these attribute types. The ASN.1 for these # attribute types is reproduced for completeness in Appendix C. # # 9.2. X.400 standard attribute types # # The standard X.400 attribute types are supported. See X.402 for full # details. The ASN.1 for these attribute types is reproduced in # Appendix C. # # 9.3. COSINE/Internet attribute types # # This section describes all the attribute types defined for use in the # COSINE and Internet pilots. Descriptions are given as to the # suggested usage of these attribute types. The ASN.1 for these # attribute types is reproduced in Appendix C. # # 9.3.1. Userid # # The Userid attribute type specifies a computer system login name. # # userid ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-user-identifier)) # ::= {pilotAttributeType 1} # #(in core.schema) ##attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) ## EQUALITY caseIgnoreMatch ## SUBSTR caseIgnoreSubstringsMatch ## SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.2. Text Encoded O/R Address # # The Text Encoded O/R Address attribute type specifies a text encoding # of an X.400 O/R address, as specified in RFC 987. The use of this # attribute is deprecated as the attribute is intended for interim use # only. This attribute will be the first candidate for the attribute # expiry mechanisms! # # textEncodedORAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-text-encoded-or-address)) # ::= {pilotAttributeType 2} # attributetype ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.3. RFC 822 Mailbox # # The RFC822 Mailbox attribute type specifies an electronic mailbox # attribute following the syntax specified in RFC 822. Note that this # attribute should not be used for greybook or other non-Internet order # mailboxes. # # rfc822Mailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # (SIZE (1 .. ub-rfc822-mailbox)) # ::= {pilotAttributeType 3} # #(in core.schema) ##attributetype ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) ## EQUALITY caseIgnoreIA5Match ## SUBSTR caseIgnoreIA5SubstringsMatch ## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # 9.3.4. Information # # The Information attribute type specifies any general information # pertinent to an object. It is recommended that specific usage of # this attribute type is avoided, and that specific requirements are # met by other (possibly additional) attribute types. # # info ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-information)) # ::= {pilotAttributeType 4} # attributetype ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: general information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} ) # 9.3.5. Favourite Drink # # The Favourite Drink attribute type specifies the favourite drink of # an object (or person). # # favouriteDrink ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-favourite-drink)) # ::= {pilotAttributeType 5} # attributetype ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDrink' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.6. Room Number # # The Room Number attribute type specifies the room number of an # object. Note that the commonName attribute should be used for naming # room objects. # # roomNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-room-number)) # ::= {pilotAttributeType 6} # attributetype ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.7. Photo # # The Photo attribute type specifies a "photograph" for an object. # This should be encoded in G3 fax as explained in recommendation T.4, # with an ASN.1 wrapper to make it compatible with an X.400 BodyPart as # defined in X.420. # # IMPORT G3FacsimileBodyPart FROM { mhs-motis ipms modules # information-objects } # # photo ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # CHOICE { # g3-facsimile [3] G3FacsimileBodyPart # } # (SIZE (1 .. ub-photo)) # ::= {pilotAttributeType 7} # attributetype ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274: photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} ) # 9.3.8. User Class # # The User Class attribute type specifies a category of computer user. # The semantics placed on this attribute are for local interpretation. # Examples of current usage od this attribute in academia are # undergraduate student, researcher, lecturer, etc. Note that the # organizationalStatus attribute may now often be preferred as it makes # no distinction between computer users and others. # # userClass ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-user-class)) # ::= {pilotAttributeType 8} # attributetype ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC1274: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.9. Host # # The Host attribute type specifies a host computer. # # host ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-host)) # ::= {pilotAttributeType 9} # attributetype ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: host computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.10. Manager # # The Manager attribute type specifies the manager of an object # represented by an entry. # # manager ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 10} # attributetype ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC1274: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # 9.3.11. Document Identifier # # The Document Identifier attribute type specifies a unique identifier # for a document. # # documentIdentifier ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-identifier)) # ::= {pilotAttributeType 11} # attributetype ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' DESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.12. Document Title # # The Document Title attribute type specifies the title of a document. # # documentTitle ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-title)) # ::= {pilotAttributeType 12} # attributetype ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC 'RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.13. Document Version # # The Document Version attribute type specifies the version number of a # document. # # documentVersion ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-version)) # ::= {pilotAttributeType 13} # attributetype ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DESC 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.14. Document Author # # The Document Author attribute type specifies the distinguished name # of the author of a document. # # documentAuthor ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 14} # attributetype ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # 9.3.15. Document Location # # The Document Location attribute type specifies the location of the # document original. # # documentLocation ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-location)) # ::= {pilotAttributeType 15} # attributetype ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DESC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.16. Home Telephone Number # # The Home Telephone Number attribute type specifies a home telephone # number associated with a person. Attribute values should follow the # agreed format for international telephone numbers: i.e., "+44 71 123 # 4567". # # homeTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # telephoneNumberSyntax # ::= {pilotAttributeType 20} # attributetype ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTelephoneNumber' ) DESC 'RFC1274: home telephone number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) # 9.3.17. Secretary # # The Secretary attribute type specifies the secretary of a person. # The attribute value for Secretary is a distinguished name. # # secretary ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 21} # attributetype ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # 9.3.18. Other Mailbox # # The Other Mailbox attribute type specifies values for electronic # mailbox types other than X.400 and rfc822. # # otherMailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # SEQUENCE { # mailboxType PrintableString, -- e.g. Telemail # mailbox IA5String -- e.g. X378:Joe # } # ::= {pilotAttributeType 22} # attributetype ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX 1.3.6.1.4.1.1466.115.121.1.39 ) # 9.3.19. Last Modified Time # # The Last Modified Time attribute type specifies the last time, in UTC # time, that an entry was modified. Ideally, this attribute should be # maintained by the DSA. # # lastModifiedTime ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # uTCTimeSyntax # ::= {pilotAttributeType 23} # ## Deprecated in favor of modifyTimeStamp #attributetype ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime' # DESC 'RFC1274: time of last modify, replaced by modifyTimestamp' # OBSOLETE # SYNTAX 1.3.6.1.4.1.1466.115.121.1.53 # USAGE directoryOperation ) # 9.3.20. Last Modified By # # The Last Modified By attribute specifies the distinguished name of # the last user to modify the associated entry. Ideally, this # attribute should be maintained by the DSA. # # lastModifiedBy ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 24} # ## Deprecated in favor of modifiersName #attributetype ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy' # DESC 'RFC1274: last modifier, replaced by modifiersName' # OBSOLETE # EQUALITY distinguishedNameMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 # USAGE directoryOperation ) # 9.3.21. Domain Component # # The Domain Component attribute type specifies a DNS/NRS domain. For # example, "uk" or "ac". # # domainComponent ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # SINGLE VALUE # ::= {pilotAttributeType 25} # ##(in core.schema) ##attributetype ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainComponent' ) ## EQUALITY caseIgnoreIA5Match ## SUBSTR caseIgnoreIA5SubstringsMatch ## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) # 9.3.22. DNS ARecord # # The A Record attribute type specifies a type A (Address) DNS resource # record [6] [7]. # # aRecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 26} # ## incorrect syntax? attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ## missing from RFC1274 ## incorrect syntax? attributetype ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # 9.3.23. MX Record # # The MX Record attribute type specifies a type MX (Mail Exchange) DNS # resource record [6] [7]. # # mXRecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 28} # ## incorrect syntax!! attributetype ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # 9.3.24. NS Record # # The NS Record attribute type specifies an NS (Name Server) DNS # resource record [6] [7]. # # nSRecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 29} # ## incorrect syntax!! attributetype ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # 9.3.25. SOA Record # # The SOA Record attribute type specifies a type SOA (Start of # Authority) DNS resorce record [6] [7]. # # sOARecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 30} # ## incorrect syntax!! attributetype ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # 9.3.26. CNAME Record # # The CNAME Record attribute type specifies a type CNAME (Canonical # Name) DNS resource record [6] [7]. # # cNAMERecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # iA5StringSyntax # ::= {pilotAttributeType 31} # ## incorrect syntax!! attributetype ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # 9.3.27. Associated Domain # # The Associated Domain attribute type specifies a DNS or NRS domain # which is associated with an object in the DIT. For example, the entry # in the DIT with a distinguished name "C=GB, O=University College # London" would have an associated domain of "UCL.AC.UK. Note that all # domains should be represented in rfc822 order. See [3] for more # details of usage of this attribute. # # associatedDomain ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # ::= {pilotAttributeType 37} # #attributetype ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' # EQUALITY caseIgnoreIA5Match # SUBSTR caseIgnoreIA5SubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # 9.3.28. Associated Name # # The Associated Name attribute type specifies an entry in the # organisational DIT associated with a DNS/NRS domain. See [3] for # more details of usage of this attribute. # # associatedName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 38} # attributetype ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC 'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # 9.3.29. Home postal address # # The Home postal address attribute type specifies a home postal # address for an object. This should be limited to up to 6 lines of 30 # characters each. # # homePostalAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # postalAddress # MATCHES FOR EQUALITY # ::= {pilotAttributeType 39} # attributetype ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' DESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 ) # 9.3.30. Personal Title # # The Personal Title attribute type specifies a personal title for a # person. Examples of personal titles are "Ms", "Dr", "Prof" and "Rev". # # personalTitle ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-personal-title)) # ::= {pilotAttributeType 40} # attributetype ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.31. Mobile Telephone Number # # The Mobile Telephone Number attribute type specifies a mobile # telephone number associated with a person. Attribute values should # follow the agreed format for international telephone numbers: i.e., # "+44 71 123 4567". # # mobileTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # telephoneNumberSyntax # ::= {pilotAttributeType 41} # attributetype ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTelephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) # 9.3.32. Pager Telephone Number # # The Pager Telephone Number attribute type specifies a pager telephone # number for an object. Attribute values should follow the agreed # format for international telephone numbers: i.e., "+44 71 123 4567". # # pagerTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # telephoneNumberSyntax # ::= {pilotAttributeType 42} # attributetype ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelephoneNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) # 9.3.33. Friendly Country Name # # The Friendly Country Name attribute type specifies names of countries # in human readable format. The standard attribute country name must # be one of the two-letter codes defined in ISO 3166. # # friendlyCountryName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # ::= {pilotAttributeType 43} # attributetype ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCountryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # 9.3.34. Unique Identifier # # The Unique Identifier attribute type specifies a "unique identifier" # for an object represented in the Directory. The domain within which # the identifier is unique, and the exact semantics of the identifier, # are for local definition. For a person, this might be an # institution-wide payroll number. For an organisational unit, it # might be a department code. # # uniqueIdentifier ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-unique-identifier)) # ::= {pilotAttributeType 44} # attributetype ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DESC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.35. Organisational Status # # The Organisational Status attribute type specifies a category by # which a person is often referred to in an organisation. Examples of # usage in academia might include undergraduate student, researcher, # lecturer, etc. # # A Directory administrator should probably consider carefully the # distinctions between this and the title and userClass attributes. # # organizationalStatus ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-organizational-status)) # ::= {pilotAttributeType 45} # attributetype ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.36. Janet Mailbox # # The Janet Mailbox attribute type specifies an electronic mailbox # attribute following the syntax specified in the Grey Book of the # Coloured Book series. This attribute is intended for the convenience # of U.K users unfamiliar with rfc822 and little-endian mail addresses. # Entries using this attribute MUST also include an rfc822Mailbox # attribute. # # janetMailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # (SIZE (1 .. ub-janet-mailbox)) # ::= {pilotAttributeType 46} # attributetype ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC 'RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # 9.3.37. Mail Preference Option # # An attribute to allow users to indicate a preference for inclusion of # their names on mailing lists (electronic or physical). The absence # of such an attribute should be interpreted as if the attribute was # present with value "no-list-inclusion". This attribute should be # interpreted by anyone using the directory to derive mailing lists, # and its value respected. # # mailPreferenceOption ATTRIBUTE # WITH ATTRIBUTE-SYNTAX ENUMERATED { # no-list-inclusion(0), # any-list-inclusion(1), -- may be added to any lists # professional-list-inclusion(2) # -- may be added to lists # -- which the list provider # -- views as related to the # -- users professional inter- # -- ests, perhaps evaluated # -- from the business of the # -- organisation or keywords # -- in the entry. # } # ::= {pilotAttributeType 47} # attributetype ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) # 9.3.38. Building Name # # The Building Name attribute type specifies the name of the building # where an organisation or organisational unit is based. # # buildingName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-building-name)) # ::= {pilotAttributeType 48} # attributetype ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC 'RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # 9.3.39. DSA Quality # # The DSA Quality attribute type specifies the purported quality of a # DSA. It allows a DSA manager to indicate the expected level of # availability of the DSA. See [8] for details of the syntax. # # dSAQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DSAQualitySyntax # SINGLE VALUE # ::= {pilotAttributeType 49} # attributetype ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RFC1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE ) # 9.3.40. Single Level Quality # # The Single Level Quality attribute type specifies the purported data # quality at the level immediately below in the DIT. See [8] for # details of the syntax. # # singleLevelQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DataQualitySyntax # SINGLE VALUE # ::= {pilotAttributeType 50} # attributetype ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE ) # 9.3.41. Subtree Minimum Quality # # The Subtree Minimum Quality attribute type specifies the purported # minimum data quality for a DIT subtree. See [8] for more discussion # and details of the syntax. # # subtreeMinimumQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DataQualitySyntax # SINGLE VALUE # -- Defaults to singleLevelQuality # ::= {pilotAttributeType 51} # attributetype ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQuality' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE ) # 9.3.42. Subtree Maximum Quality # # The Subtree Maximum Quality attribute type specifies the purported # maximum data quality for a DIT subtree. See [8] for more discussion # and details of the syntax. # # subtreeMaximumQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DataQualitySyntax # SINGLE VALUE # -- Defaults to singleLevelQuality # ::= {pilotAttributeType 52} # attributetype ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQuality' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SINGLE-VALUE ) # 9.3.43. Personal Signature # # The Personal Signature attribute type allows for a representation of # a person's signature. This should be encoded in G3 fax as explained # in recommendation T.4, with an ASN.1 wrapper to make it compatible # with an X.400 BodyPart as defined in X.420. # # IMPORT G3FacsimileBodyPart FROM { mhs-motis ipms modules # information-objects } # # personalSignature ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # CHOICE { # g3-facsimile [3] G3FacsimileBodyPart # } # (SIZE (1 .. ub-personal-signature)) # ::= {pilotAttributeType 53} # attributetype ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' DESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23 ) # 9.3.44. DIT Redirect # # The DIT Redirect attribute type is used to indicate that the object # described by one entry now has a newer entry in the DIT. The entry # containing the redirection attribute should be expired after a # suitable grace period. This attribute may be used when an individual # changes his/her place of work, and thus acquires a new organisational # DN. # # dITRedirect ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 54} # attributetype ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'RFC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # 9.3.45. Audio # # The Audio attribute type allows the storing of sounds in the # Directory. The attribute uses a u-law encoded sound file as used by # the "play" utility on a Sun 4. This is an interim format. # # audio ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # Audio # (SIZE (1 .. ub-audio)) # ::= {pilotAttributeType 55} # attributetype ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274: audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} ) # 9.3.46. Publisher of Document # # # The Publisher of Document attribute is the person and/or organization # that published a document. # # documentPublisher ATTRIBUTE # WITH ATTRIBUTE SYNTAX caseIgnoreStringSyntax # ::= {pilotAttributeType 56} # attributetype ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' DESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # 9.4. Generally useful syntaxes # # caseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX # IA5String # MATCHES FOR EQUALITY SUBSTRINGS # # iA5StringSyntax ATTRIBUTE-SYNTAX # IA5String # MATCHES FOR EQUALITY SUBSTRINGS # # # -- Syntaxes to support the DNS attributes # # DNSRecordSyntax ATTRIBUTE-SYNTAX # IA5String # MATCHES FOR EQUALITY # # # NRSInformationSyntax ATTRIBUTE-SYNTAX # NRSInformation # MATCHES FOR EQUALITY # # # NRSInformation ::= SET { # [0] Context, # [1] Address-space-id, # routes [2] SEQUENCE OF SEQUENCE { # Route-cost, # Addressing-info } # } # # # 9.5. Upper bounds on length of attribute values # # # ub-document-identifier INTEGER ::= 256 # # ub-document-location INTEGER ::= 256 # # ub-document-title INTEGER ::= 256 # # ub-document-version INTEGER ::= 256 # # ub-favourite-drink INTEGER ::= 256 # # ub-host INTEGER ::= 256 # # ub-information INTEGER ::= 2048 # # ub-unique-identifier INTEGER ::= 256 # # ub-personal-title INTEGER ::= 256 # # ub-photo INTEGER ::= 250000 # # ub-rfc822-mailbox INTEGER ::= 256 # # ub-room-number INTEGER ::= 256 # # ub-text-or-address INTEGER ::= 256 # # ub-user-class INTEGER ::= 256 # # ub-user-identifier INTEGER ::= 256 # # ub-organizational-status INTEGER ::= 256 # # ub-janet-mailbox INTEGER ::= 256 # # ub-building-name INTEGER ::= 256 # # ub-personal-signature ::= 50000 # # ub-audio INTEGER ::= 250000 # # [back to 8] # 8. Object Classes # # 8.1. X.500 standard object classes # # A number of generally useful object classes are defined in X.521, and # these are supported. Refer to that document for descriptions of the # suggested usage of these object classes. The ASN.1 for these object # classes is reproduced for completeness in Appendix C. # # 8.2. X.400 standard object classes # # A number of object classes defined in X.400 are supported. Refer to # X.402 for descriptions of the usage of these object classes. The # ASN.1 for these object classes is reproduced for completeness in # Appendix C. # # 8.3. COSINE/Internet object classes # # This section attempts to fuse together the object classes designed # for use in the COSINE and Internet pilot activities. Descriptions # are given of the suggested usage of these object classes. The ASN.1 # for these object classes is also reproduced in Appendix C. # # 8.3.1. Pilot Object # # The PilotObject object class is used as a sub-class to allow some # common, useful attributes to be assigned to entries of all other # object classes. # # pilotObject OBJECT-CLASS # SUBCLASS OF top # MAY CONTAIN { # info, # photo, # manager, # uniqueIdentifier, # lastModifiedTime, # lastModifiedBy, # dITRedirect, # audio} # ::= {pilotObjectClass 3} # #objectclass ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject' # DESC 'RFC1274: pilot object' # SUP top AUXILIARY # MAY ( info $ photo $ manager $ uniqueIdentifier $ # lastModifiedTime $ lastModifiedBy $ dITRedirect $ audio ) # ) # 8.3.2. Pilot Person # # The PilotPerson object class is used as a sub-class of person, to # allow the use of a number of additional attributes to be assigned to # entries of object class person. # # pilotPerson OBJECT-CLASS # SUBCLASS OF person # MAY CONTAIN { # userid, # textEncodedORAddress, # rfc822Mailbox, # favouriteDrink, # roomNumber, # userClass, # homeTelephoneNumber, # homePostalAddress, # secretary, # personalTitle, # preferredDeliveryMethod, # businessCategory, # janetMailbox, # otherMailbox, # mobileTelephoneNumber, # pagerTelephoneNumber, # organizationalStatus, # mailPreferenceOption, # personalSignature} # ::= {pilotObjectClass 4} # objectclass ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) ) # 8.3.3. Account # # The Account object class is used to define entries representing # computer accounts. The userid attribute should be used for naming # entries of this object class. # # account OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # userid} # MAY CONTAIN { # description, # seeAlso, # localityName, # organizationName, # organizationalUnitName, # host} # ::= {pilotObjectClass 5} # objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) ) # 8.3.4. Document # # The Document object class is used to define entries which represent # documents. # # document OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # documentIdentifier} # MAY CONTAIN { # commonName, # description, # seeAlso, # localityName, # organizationName, # organizationalUnitName, # documentTitle, # documentVersion, # documentAuthor, # documentLocation, # documentPublisher} # ::= {pilotObjectClass 6} # objectclass ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) # 8.3.5. Room # # The Room object class is used to define entries representing rooms. # The commonName attribute should be used for naming pentries of this # object class. # # room OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # roomNumber, # description, # seeAlso, # telephoneNumber} # ::= {pilotObjectClass 7} # objectclass ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) ) # 8.3.6. Document Series # # The Document Series object class is used to define an entry which # represents a series of documents (e.g., The Request For Comments # papers). # # documentSeries OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # description, # seeAlso, # telephoneNumber, # localityName, # organizationName, # organizationalUnitName} # ::= {pilotObjectClass 9} # objectclass ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) ) # 8.3.7. Domain # # The Domain object class is used to define entries which represent DNS # or NRS domains. The domainComponent attribute should be used for # naming entries of this object class. The usage of this object class # is described in more detail in [3]. # # domain OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # domainComponent} # MAY CONTAIN { # associatedName, # organizationName, # organizationalAttributeSet} # ::= {pilotObjectClass 13} # objectclass ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) # 8.3.8. RFC822 Local Part # # The RFC822 Local Part object class is used to define entries which # represent the local part of RFC822 mail addresses. This treats this # part of an RFC822 address as a domain. The usage of this object # class is described in more detail in [3]. # # rFC822localPart OBJECT-CLASS # SUBCLASS OF domain # MAY CONTAIN { # commonName, # surname, # description, # seeAlso, # telephoneNumber, # postalAttributeSet, # telecommunicationAttributeSet} # ::= {pilotObjectClass 14} # objectclass ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) # 8.3.9. DNS Domain # # The DNS Domain (Domain NameServer) object class is used to define # entries for DNS domains. The usage of this object class is described # in more detail in [3]. # # dNSDomain OBJECT-CLASS # SUBCLASS OF domain # MAY CONTAIN { # ARecord, # MDRecord, # MXRecord, # NSRecord, # SOARecord, # CNAMERecord} # ::= {pilotObjectClass 15} # objectclass ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) ) # 8.3.10. Domain Related Object # # The Domain Related Object object class is used to define entries # which represent DNS/NRS domains which are "equivalent" to an X.500 # domain: e.g., an organisation or organisational unit. The usage of # this object class is described in more detail in [3]. # # domainRelatedObject OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # associatedDomain} # ::= {pilotObjectClass 17} # objectclass ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain ) # 8.3.11. Friendly Country # # The Friendly Country object class is used to define country entries # in the DIT. The object class is used to allow friendlier naming of # countries than that allowed by the object class country. The naming # attribute of object class country, countryName, has to be a 2 letter # string defined in ISO 3166. # # friendlyCountry OBJECT-CLASS # SUBCLASS OF country # MUST CONTAIN { # friendlyCountryName} # ::= {pilotObjectClass 18} # objectclass ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName ) # 8.3.12. Simple Security Object # # The Simple Security Object object class is used to allow an entry to # have a userPassword attribute when an entry's principal object # classes do not allow userPassword as an attribute type. # # simpleSecurityObject OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # userPassword } # ::= {pilotObjectClass 19} # ## (in core.schema) ## objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' ## SUP top AUXILIARY ## MUST userPassword ) # 8.3.13. Pilot Organization # # The PilotOrganization object class is used as a sub-class of # organization and organizationalUnit to allow a number of additional # attributes to be assigned to entries of object classes organization # and organizationalUnit. # # pilotOrganization OBJECT-CLASS # SUBCLASS OF organization, organizationalUnit # MAY CONTAIN { # buildingName} # ::= {pilotObjectClass 20} # objectclass ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) # 8.3.14. Pilot DSA # # The PilotDSA object class is used as a sub-class of the dsa object # class to allow additional attributes to be assigned to entries for # DSAs. # # pilotDSA OBJECT-CLASS # SUBCLASS OF dsa # MUST CONTAIN { # dSAQuality} # ::= {pilotObjectClass 21} # objectclass ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality ) # 8.3.15. Quality Labelled Data # # The Quality Labelled Data object class is used to allow the # assignment of the data quality attributes to subtrees in the DIT. # # See [8] for more details. # # qualityLabelledData OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # dSAQuality} # MAY CONTAIN { # subtreeMinimumQuality, # subtreeMaximumQuality} # ::= {pilotObjectClass 22} objectclass ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) ) # References # # [1] CCITT/ISO, "X.500, The Directory - overview of concepts, # models and services, CCITT /ISO IS 9594. # # [2] Kille, S., "The THORN and RARE X.500 Naming Architecture, in # University College London, Department of Computer Science # Research Note 89/48, May 1989. # # [3] Kille, S., "X.500 and Domains", RFC 1279, University College # London, November 1991. # # [4] Rose, M., "PSI/NYSERNet White Pages Pilot Project: Status # Report", Technical Report 90-09-10-1, published by NYSERNet # Inc, 1990. # # [5] Craigie, J., "UK Academic Community Directory Service Pilot # Project, pp. 305-310 in Computer Networks and ISDN Systems # 17 (1989), published by North Holland. # # [6] Mockapetris, P., "Domain Names - Concepts and Facilities", # RFC 1034, USC/Information Sciences Institute, November 1987. # # [7] Mockapetris, P., "Domain Names - Implementation and # Specification, RFC 1035, USC/Information Sciences Institute, # November 1987. # # [8] Kille, S., "Handling QOS (Quality of service) in the # Directory," publication in process, March 1991. # # # APPENDIX C - Summary of all Object Classes and Attribute Types # # -- Some Important Object Identifiers # # data OBJECT IDENTIFIER ::= {ccitt 9} # pss OBJECT IDENTIFIER ::= {data 2342} # ucl OBJECT IDENTIFIER ::= {pss 19200300} # pilot OBJECT IDENTIFIER ::= {ucl 100} # # pilotAttributeType OBJECT IDENTIFIER ::= {pilot 1} # pilotAttributeSyntax OBJECT IDENTIFIER ::= {pilot 3} # pilotObjectClass OBJECT IDENTIFIER ::= {pilot 4} # pilotGroups OBJECT IDENTIFIER ::= {pilot 10} # # iA5StringSyntax OBJECT IDENTIFIER ::= {pilotAttributeSyntax 4} # caseIgnoreIA5StringSyntax OBJECT IDENTIFIER ::= # {pilotAttributeSyntax 5} # # -- Standard Object Classes # # top OBJECT-CLASS # MUST CONTAIN { # objectClass} # ::= {objectClass 0} # # # alias OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # aliasedObjectName} # ::= {objectClass 1} # # # country OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # countryName} # MAY CONTAIN { # description, # searchGuide} # ::= {objectClass 2} # # # locality OBJECT-CLASS # SUBCLASS OF top # MAY CONTAIN { # description, # localityName, # stateOrProvinceName, # searchGuide, # seeAlso, # streetAddress} # ::= {objectClass 3} # # # organization OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # organizationName} # MAY CONTAIN { # organizationalAttributeSet} # ::= {objectClass 4} # # # organizationalUnit OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # organizationalUnitName} # MAY CONTAIN { # organizationalAttributeSet} # ::= {objectClass 5} # # # person OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName, # surname} # MAY CONTAIN { # description, # seeAlso, # telephoneNumber, # userPassword} # ::= {objectClass 6} # # # organizationalPerson OBJECT-CLASS # SUBCLASS OF person # MAY CONTAIN { # localeAttributeSet, # organizationalUnitName, # postalAttributeSet, # telecommunicationAttributeSet, # title} # ::= {objectClass 7} # # # organizationalRole OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # description, # localeAttributeSet, # organizationalUnitName, # postalAttributeSet, # preferredDeliveryMethod, # roleOccupant, # seeAlso, # telecommunicationAttributeSet} # ::= {objectClass 8} # # # groupOfNames OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName, # member} # MAY CONTAIN { # description, # organizationName, # organizationalUnitName, # owner, # seeAlso, # businessCategory} # ::= {objectClass 9} # # # residentialPerson OBJECT-CLASS # SUBCLASS OF person # MUST CONTAIN { # localityName} # MAY CONTAIN { # localeAttributeSet, # postalAttributeSet, # preferredDeliveryMethod, # telecommunicationAttributeSet, # businessCategory} # ::= {objectClass 10} # # # applicationProcess OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # description, # localityName, # organizationalUnitName, # seeAlso} # ::= {objectClass 11} # # # applicationEntity OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName, # presentationAddress} # MAY CONTAIN { # description, # localityName, # organizationName, # organizationalUnitName, # seeAlso, # supportedApplicationContext} # ::= {objectClass 12} # # # dSA OBJECT-CLASS # SUBCLASS OF applicationEntity # MAY CONTAIN { # knowledgeInformation} # ::= {objectClass 13} # # # device OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # description, # localityName, # organizationName, # organizationalUnitName, # owner, # seeAlso, # serialNumber} # ::= {objectClass 14} # # # strongAuthenticationUser OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # userCertificate} # ::= {objectClass 15} # # # certificationAuthority OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # cACertificate, # certificateRevocationList, # authorityRevocationList} # MAY CONTAIN { # crossCertificatePair} # ::= {objectClass 16} # # -- Standard MHS Object Classes # # mhsDistributionList OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName, # mhsDLSubmitPermissions, # mhsORAddresses} # MAY CONTAIN { # description, # organizationName, # organizationalUnitName, # owner, # seeAlso, # mhsDeliverableContentTypes, # mhsdeliverableEits, # mhsDLMembers, # mhsPreferredDeliveryMethods} # ::= {mhsObjectClass 0} # # # mhsMessageStore OBJECT-CLASS # SUBCLASS OF applicationEntity # MAY CONTAIN { # description, # owner, # mhsSupportedOptionalAttributes, # mhsSupportedAutomaticActions, # mhsSupportedContentTypes} # ::= {mhsObjectClass 1} # # # mhsMessageTransferAgent OBJECT-CLASS # SUBCLASS OF applicationEntity # MAY CONTAIN { # description, # owner, # mhsDeliverableContentLength} # ::= {mhsObjectClass 2} # # # mhsOrganizationalUser OBJECT-CLASS # SUBCLASS OF organizationalPerson # MUST CONTAIN { # mhsORAddresses} # MAY CONTAIN { # mhsDeliverableContentLength, # mhsDeliverableContentTypes, # mhsDeliverableEits, # mhsMessageStoreName, # mhsPreferredDeliveryMethods } # ::= {mhsObjectClass 3} # # # mhsResidentialUser OBJECT-CLASS # SUBCLASS OF residentialPerson # MUST CONTAIN { # mhsORAddresses} # MAY CONTAIN { # mhsDeliverableContentLength, # mhsDeliverableContentTypes, # mhsDeliverableEits, # mhsMessageStoreName, # mhsPreferredDeliveryMethods } # ::= {mhsObjectClass 4} # # # mhsUserAgent OBJECT-CLASS # SUBCLASS OF applicationEntity # MAY CONTAIN { # mhsDeliverableContentLength, # mhsDeliverableContentTypes, # mhsDeliverableEits, # mhsORAddresses, # owner} # ::= {mhsObjectClass 5} # # # # # -- Pilot Object Classes # # pilotObject OBJECT-CLASS # SUBCLASS OF top # MAY CONTAIN { # info, # photo, # manager, # uniqueIdentifier, # lastModifiedTime, # lastModifiedBy, # dITRedirect, # audio} # ::= {pilotObjectClass 3} # pilotPerson OBJECT-CLASS # SUBCLASS OF person # MAY CONTAIN { # userid, # textEncodedORAddress, # rfc822Mailbox, # favouriteDrink, # roomNumber, # userClass, # homeTelephoneNumber, # homePostalAddress, # secretary, # personalTitle, # preferredDeliveryMethod, # businessCategory, # janetMailbox, # otherMailbox, # mobileTelephoneNumber, # pagerTelephoneNumber, # organizationalStatus, # mailPreferenceOption, # personalSignature} # ::= {pilotObjectClass 4} # # # account OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # userid} # MAY CONTAIN { # description, # seeAlso, # localityName, # organizationName, # organizationalUnitName, # host} # ::= {pilotObjectClass 5} # # # document OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # documentIdentifier} # MAY CONTAIN { # commonName, # description, # seeAlso, # localityName, # organizationName, # organizationalUnitName, # documentTitle, # documentVersion, # documentAuthor, # documentLocation, # documentPublisher} # ::= {pilotObjectClass 6} # # # room OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # roomNumber, # description, # seeAlso, # telephoneNumber} # ::= {pilotObjectClass 7} # # # documentSeries OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # commonName} # MAY CONTAIN { # description, # seeAlso, # telephoneNumber, # localityName, # organizationName, # organizationalUnitName} # ::= {pilotObjectClass 9} # # # domain OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # domainComponent} # MAY CONTAIN { # associatedName, # organizationName, # organizationalAttributeSet} # ::= {pilotObjectClass 13} # # # rFC822localPart OBJECT-CLASS # SUBCLASS OF domain # MAY CONTAIN { # commonName, # surname, # description, # seeAlso, # telephoneNumber, # postalAttributeSet, # telecommunicationAttributeSet} # ::= {pilotObjectClass 14} # # # dNSDomain OBJECT-CLASS # SUBCLASS OF domain # MAY CONTAIN { # ARecord, # MDRecord, # MXRecord, # NSRecord, # SOARecord, # CNAMERecord} # ::= {pilotObjectClass 15} # # # domainRelatedObject OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # associatedDomain} # ::= {pilotObjectClass 17} # # # friendlyCountry OBJECT-CLASS # SUBCLASS OF country # MUST CONTAIN { # friendlyCountryName} # ::= {pilotObjectClass 18} # # # simpleSecurityObject OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # userPassword } # ::= {pilotObjectClass 19} # # # pilotOrganization OBJECT-CLASS # SUBCLASS OF organization, organizationalUnit # MAY CONTAIN { # buildingName} # ::= {pilotObjectClass 20} # # # pilotDSA OBJECT-CLASS # SUBCLASS OF dsa # MUST CONTAIN { # dSAQuality} # ::= {pilotObjectClass 21} # # # qualityLabelledData OBJECT-CLASS # SUBCLASS OF top # MUST CONTAIN { # dSAQuality} # MAY CONTAIN { # subtreeMinimumQuality, # subtreeMaximumQuality} # ::= {pilotObjectClass 22} # # # # # -- Standard Attribute Types # # objectClass ObjectClass # ::= {attributeType 0} # # # aliasedObjectName AliasedObjectName # ::= {attributeType 1} # # # knowledgeInformation ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreString # ::= {attributeType 2} # # # commonName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-common-name)) # ::= {attributeType 3} # # # surname ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-surname)) # ::= {attributeType 4} # # # serialNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX printableStringSyntax # (SIZE (1..ub-serial-number)) # ::= {attributeType 5} # # # countryName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX PrintableString # (SIZE (1..ub-country-code)) # SINGLE VALUE # ::= {attributeType 6} # # # localityName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-locality-name)) # ::= {attributeType 7} # # # stateOrProvinceName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-state-name)) # ::= {attributeType 8} # # # streetAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-street-address)) # ::= {attributeType 9} # # # organizationName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-organization-name)) # ::= {attributeType 10} # # # organizationalUnitName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-organizational-unit-name)) # ::= {attributeType 11} # # # title ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-title)) # ::= {attributeType 12} # # # description ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-description)) # ::= {attributeType 13} # # # searchGuide ATTRIBUTE # WITH ATTRIBUTE-SYNTAX Guide # ::= {attributeType 14} # # # businessCategory ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-business-category)) # ::= {attributeType 15} # # # postalAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX PostalAddress # MATCHES FOR EQUALITY # ::= {attributeType 16} # # # postalCode ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-postal-code)) # ::= {attributeType 17} # # # postOfficeBox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-post-office-box)) # ::= {attributeType 18} # # # physicalDeliveryOfficeName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax # (SIZE (1..ub-physical-office-name)) # ::= {attributeType 19} # # # telephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX telephoneNumberSyntax # (SIZE (1..ub-telephone-number)) # ::= {attributeType 20} # # # telexNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX TelexNumber # (SIZE (1..ub-telex)) # ::= {attributeType 21} # # # teletexTerminalIdentifier ATTRIBUTE # WITH ATTRIBUTE-SYNTAX TeletexTerminalIdentifier # (SIZE (1..ub-teletex-terminal-id)) # ::= {attributeType 22} # # # facsimileTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX FacsimileTelephoneNumber # ::= {attributeType 23} # # # x121Address ATTRIBUTE # WITH ATTRIBUTE-SYNTAX NumericString # (SIZE (1..ub-x121-address)) # ::= {attributeType 24} # # # internationaliSDNNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX NumericString # (SIZE (1..ub-isdn-address)) # ::= {attributeType 25} # # # registeredAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX PostalAddress # ::= {attributeType 26} # # # destinationIndicator ATTRIBUTE # WITH ATTRIBUTE-SYNTAX PrintableString # (SIZE (1..ub-destination-indicator)) # MATCHES FOR EQUALITY SUBSTRINGS # ::= {attributeType 27} # # # preferredDeliveryMethod ATTRIBUTE # WITH ATTRIBUTE-SYNTAX deliveryMethod # ::= {attributeType 28} # # # presentationAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX PresentationAddress # MATCHES FOR EQUALITY # ::= {attributeType 29} # # # supportedApplicationContext ATTRIBUTE # WITH ATTRIBUTE-SYNTAX objectIdentifierSyntax # ::= {attributeType 30} # # # member ATTRIBUTE # WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax # ::= {attributeType 31} # # # owner ATTRIBUTE # WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax # ::= {attributeType 32} # # # roleOccupant ATTRIBUTE # WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax # ::= {attributeType 33} # # # seeAlso ATTRIBUTE # WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax # ::= {attributeType 34} # # # userPassword ATTRIBUTE # WITH ATTRIBUTE-SYNTAX Userpassword # ::= {attributeType 35} # # # userCertificate ATTRIBUTE # WITH ATTRIBUTE-SYNTAX UserCertificate # ::= {attributeType 36} # # # cACertificate ATTRIBUTE # WITH ATTRIBUTE-SYNTAX cACertificate # ::= {attributeType 37} # # # authorityRevocationList ATTRIBUTE # WITH ATTRIBUTE-SYNTAX AuthorityRevocationList # ::= {attributeType 38} # # # certificateRevocationList ATTRIBUTE # WITH ATTRIBUTE-SYNTAX CertificateRevocationList # ::= {attributeType 39} # # # crossCertificatePair ATTRIBUTE # WITH ATTRIBUTE-SYNTAX CrossCertificatePair # ::= {attributeType 40} # # # # # -- Standard MHS Attribute Types # # mhsDeliverableContentLength ATTRIBUTE # WITH ATTRIBUTE-SYNTAX integer # ::= {mhsAttributeType 0} # # # mhsDeliverableContentTypes ATTRIBUTE # WITH ATTRIBUTE-SYNTAX oID # ::= {mhsAttributeType 1} # # # mhsDeliverableEits ATTRIBUTE # WITH ATTRIBUTE-SYNTAX oID # ::= {mhsAttributeType 2} # # # mhsDLMembers ATTRIBUTE # WITH ATTRIBUTE-SYNTAX oRName # ::= {mhsAttributeType 3} # # # mhsDLSubmitPermissions ATTRIBUTE # WITH ATTRIBUTE-SYNTAX dLSubmitPermission # ::= {mhsAttributeType 4} # # # mhsMessageStoreName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX dN # ::= {mhsAttributeType 5} # # # mhsORAddresses ATTRIBUTE # WITH ATTRIBUTE-SYNTAX oRAddress # ::= {mhsAttributeType 6} # # # mhsPreferredDeliveryMethods ATTRIBUTE # WITH ATTRIBUTE-SYNTAX deliveryMethod # ::= {mhsAttributeType 7} # # # mhsSupportedAutomaticActions ATTRIBUTE # WITH ATTRIBUTE-SYNTAX oID # ::= {mhsAttributeType 8} # # # mhsSupportedContentTypes ATTRIBUTE # # WITH ATTRIBUTE-SYNTAX oID # ::= {mhsAttributeType 9} # # # mhsSupportedOptionalAttributes ATTRIBUTE # WITH ATTRIBUTE-SYNTAX oID # ::= {mhsAttributeType 10} # # # # # -- Pilot Attribute Types # # userid ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-user-identifier)) # ::= {pilotAttributeType 1} # # # textEncodedORAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-text-encoded-or-address)) # ::= {pilotAttributeType 2} # # # rfc822Mailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # (SIZE (1 .. ub-rfc822-mailbox)) # ::= {pilotAttributeType 3} # # # info ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-information)) # ::= {pilotAttributeType 4} # # # favouriteDrink ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-favourite-drink)) # ::= {pilotAttributeType 5} # # # roomNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-room-number)) # ::= {pilotAttributeType 6} # # # photo ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # CHOICE { # g3-facsimile [3] G3FacsimileBodyPart # } # (SIZE (1 .. ub-photo)) # ::= {pilotAttributeType 7} # # # userClass ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-user-class)) # ::= {pilotAttributeType 8} # # # host ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-host)) # ::= {pilotAttributeType 9} # # # manager ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 10} # # # documentIdentifier ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-identifier)) # ::= {pilotAttributeType 11} # # # documentTitle ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-title)) # ::= {pilotAttributeType 12} # # # documentVersion ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-version)) # ::= {pilotAttributeType 13} # # # documentAuthor ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 14} # # # documentLocation ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-document-location)) # ::= {pilotAttributeType 15} # # # homeTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # telephoneNumberSyntax # ::= {pilotAttributeType 20} # # # secretary ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 21} # # # otherMailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # SEQUENCE { # mailboxType PrintableString, -- e.g. Telemail # mailbox IA5String -- e.g. X378:Joe # } # ::= {pilotAttributeType 22} # # # lastModifiedTime ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # uTCTimeSyntax # ::= {pilotAttributeType 23} # # # lastModifiedBy ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 24} # # # domainComponent ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # SINGLE VALUE # ::= {pilotAttributeType 25} # # # aRecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 26} # # # mXRecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 28} # # # nSRecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 29} # # sOARecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # DNSRecordSyntax # ::= {pilotAttributeType 30} # # # cNAMERecord ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # iA5StringSyntax # ::= {pilotAttributeType 31} # # # associatedDomain ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # ::= {pilotAttributeType 37} # # # associatedName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 38} # # # homePostalAddress ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # postalAddress # MATCHES FOR EQUALITY # ::= {pilotAttributeType 39} # # # personalTitle ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-personal-title)) # ::= {pilotAttributeType 40} # # # mobileTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # telephoneNumberSyntax # ::= {pilotAttributeType 41} # # # pagerTelephoneNumber ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # telephoneNumberSyntax # ::= {pilotAttributeType 42} # # # friendlyCountryName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # ::= {pilotAttributeType 43} # # # uniqueIdentifier ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-unique-identifier)) # ::= {pilotAttributeType 44} # # # organizationalStatus ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-organizational-status)) # ::= {pilotAttributeType 45} # # # janetMailbox ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreIA5StringSyntax # (SIZE (1 .. ub-janet-mailbox)) # ::= {pilotAttributeType 46} # # # mailPreferenceOption ATTRIBUTE # WITH ATTRIBUTE-SYNTAX ENUMERATED { # no-list-inclusion(0), # any-list-inclusion(1), -- may be added to any lists # professional-list-inclusion(2) # -- may be added to lists # -- which the list provider # -- views as related to the # -- users professional inter- # -- ests, perhaps evaluated # -- from the business of the # -- organisation or keywords # -- in the entry. # } # ::= {pilotAttributeType 47} # # # buildingName ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # caseIgnoreStringSyntax # (SIZE (1 .. ub-building-name)) # ::= {pilotAttributeType 48} # # # dSAQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DSAQualitySyntax # SINGLE VALUE # ::= {pilotAttributeType 49} # # # singleLevelQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DataQualitySyntax # SINGLE VALUE # # # subtreeMinimumQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DataQualitySyntax # SINGLE VALUE # -- Defaults to singleLevelQuality # ::= {pilotAttributeType 51} # # # subtreeMaximumQuality ATTRIBUTE # WITH ATTRIBUTE-SYNTAX DataQualitySyntax # SINGLE VALUE # -- Defaults to singleLevelQuality # ::= {pilotAttributeType 52} # # # personalSignature ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # CHOICE { # g3-facsimile [3] G3FacsimileBodyPart # } # (SIZE (1 .. ub-personal-signature)) # ::= {pilotAttributeType 53} # # # dITRedirect ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # distinguishedNameSyntax # ::= {pilotAttributeType 54} # # # audio ATTRIBUTE # WITH ATTRIBUTE-SYNTAX # Audio # (SIZE (1 .. ub-audio)) # ::= {pilotAttributeType 55} # # documentPublisher ATTRIBUTE # WITH ATTRIBUTE SYNTAX caseIgnoreStringSyntax # ::= {pilotAttributeType 56} # # # # -- Generally useful syntaxes # # # caseIgnoreIA5StringSyntax ATTRIBUTE-SYNTAX # IA5String # MATCHES FOR EQUALITY SUBSTRINGS # # # iA5StringSyntax ATTRIBUTE-SYNTAX # IA5String # MATCHES FOR EQUALITY SUBSTRINGS # # # -- Syntaxes to support the DNS attributes # # DNSRecordSyntax ATTRIBUTE-SYNTAX # IA5String # MATCHES FOR EQUALITY # # # NRSInformationSyntax ATTRIBUTE-SYNTAX # NRSInformation # MATCHES FOR EQUALITY # # # NRSInformation ::= SET { # [0] Context, # [1] Address-space-id, # routes [2] SEQUENCE OF SEQUENCE { # Route-cost, # Addressing-info } # } # # # -- Upper bounds on length of attribute values # # # ub-document-identifier INTEGER ::= 256 # # ub-document-location INTEGER ::= 256 # # ub-document-title INTEGER ::= 256 # # ub-document-version INTEGER ::= 256 # # ub-favourite-drink INTEGER ::= 256 # # ub-host INTEGER ::= 256 # # ub-information INTEGER ::= 2048 # # ub-unique-identifier INTEGER ::= 256 # # ub-personal-title INTEGER ::= 256 # # ub-photo INTEGER ::= 250000 # # ub-rfc822-mailbox INTEGER ::= 256 # # ub-room-number INTEGER ::= 256 # # ub-text-or-address INTEGER ::= 256 # # ub-user-class INTEGER ::= 256 # # ub-user-identifier INTEGER ::= 256 # # ub-organizational-status INTEGER ::= 256 # # ub-janet-mailbox INTEGER ::= 256 # # ub-building-name INTEGER ::= 256 # # ub-personal-signature ::= 50000 # # ub-audio INTEGER ::= 250000 # # [remainder of memo trimmed]
Der Import dieses Schemas erfolgt mit nachfolgendem Aufruf.
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config
inetorgperson
Wie schon zuvor importieren wir das nächste Schema inetorgperson mit Hilfe des Befehls ldapadd. Die Beschreibung des Schemas findet sich in der gleichnamigen Datei /etc/openldap/schema/inetorgperson.schema.
# less /etc/openldap/schema/inetorgperson.schema
- /etc/openldap/schema/inetorgperson.schema
# inetorgperson.schema -- InetOrgPerson (RFC2798) # $OpenLDAP$ ## This work is part of OpenLDAP Software <http://www.openldap.org/>. ## ## Copyright 1998-2014 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## <http://www.OpenLDAP.org/license.html>. # # InetOrgPerson (RFC2798) # # Depends upon # Definition of an X.500 Attribute Type and an Object Class to Hold # Uniform Resource Identifiers (URIs) [RFC2079] # (core.schema) # # A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256] # (core.schema) # # The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema) # carLicense # This multivalued field is used to record the values of the license or # registration plate associated with an individual. attributetype ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC2798: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # departmentNumber # Code for department to which a person belongs. This can also be # strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123). attributetype ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'RFC2798: identifies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # displayName # When displaying an entry, especially within a one-line summary list, it # is useful to be able to identify a name to be used. Since other attri- # bute types such as 'cn' are multivalued, an additional attribute type is # needed. Display name is defined for this purpose. attributetype ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # employeeNumber # Numeric or alphanumeric identifier assigned to a person, typically based # on order of hire or association with an organization. Single valued. attributetype ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RFC2798: numerically identifies an employee within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # employeeType # Used to identify the employer to employee relationship. Typical values # used will be "Contractor", "Employee", "Intern", "Temp", "External", and # "Unknown" but any value may be used. attributetype ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # jpegPhoto # Used to store one or more images of a person using the JPEG File # Interchange Format [JFIF]. # Note that the jpegPhoto attribute type was defined for use in the # Internet X.500 pilots but no referencable definition for it could be # located. attributetype ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 ) # preferredLanguage # Used to indicate an individual's preferred written or spoken # language. This is useful for international correspondence or human- # computer interaction. Values for this attribute type MUST conform to # the definition of the Accept-Language header field defined in # [RFC2068] with one exception: the sequence "Accept-Language" ":" # should be omitted. This is a single valued attribute type. attributetype ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # userSMIMECertificate # A PKCS#7 [RFC2315] SignedData, where the content that is signed is # ignored by consumers of userSMIMECertificate values. It is # recommended that values have a `contentType' of data with an absent # `content' field. Values of this attribute contain a person's entire # certificate chain and an smimeCapabilities field [RFC2633] that at a # minimum describes their SMIME algorithm capabilities. Values for # this attribute are to be stored and requested in binary form, as # 'userSMIMECertificate;binary'. If available, this attribute is # preferred over the userCertificate attribute for S/MIME applications. ## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary attributetype ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) # userPKCS12 # PKCS #12 [PKCS12] provides a format for exchange of personal identity # information. When such information is stored in a directory service, # the userPKCS12 attribute should be used. This attribute is to be stored # and requested in binary form, as 'userPKCS12;binary'. The attribute # values are PFX PDUs stored as binary data. ## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary attributetype ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) # inetOrgPerson # The inetOrgPerson represents people who are associated with an # organization in some way. It is a structural class and is derived # from the organizationalPerson which is defined in X.521 [X521]. objectclass ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
Der Import dieses Schemas erfolgt mit nachfolgendem Aufruf.
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
nis
Als letztes importieren wir nun noch das Schema nis. Die Beschreibung des Schemas findet sich in der gleichnamigen Datei /etc/openldap/schema/nis.schema.
# less /etc/openldap/schema/nis.schema
- /etc/openldap/schema/nis.schema
# $OpenLDAP$ ## This work is part of OpenLDAP Software <http://www.openldap.org/>. ## ## Copyright 1998-2014 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## <http://www.OpenLDAP.org/license.html>. # Definitions from RFC2307 (Experimental) # An Approach for Using LDAP as a Network Information Service # Depends upon core.schema and cosine.schema # Note: The definitions in RFC2307 are given in syntaxes closely related # to those in RFC2252, however, some liberties are taken that are not # supported by RFC2252. This file has been written following RFC2252 # strictly. # OID Base is iso(1) org(3) dod(6) internet(1) directory(1) nisSchema(1). # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 # # Syntaxes are under 1.3.6.1.1.1.0 (two new syntaxes are defined) # validaters for these syntaxes are incomplete, they only # implement printable string validation (which is good as the # common use of these syntaxes violates the specification). # Attribute types are under 1.3.6.1.1.1.1 # Object classes are under 1.3.6.1.1.1.2 # Attribute Type Definitions # builtin #attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' # DESC 'An integer uniquely identifying a user in an administrative domain' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # builtin #attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' # DESC 'An integer uniquely identifying a group in an administrative domain' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.1.1.0.0 ) attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name ) attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP network' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' SYNTAX 1.3.6.1.1.1.0.1 ) attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' SUP name ) attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE ) # Object Class Definitions objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) ) objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description ) objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description ) objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) ) objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress ) objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
Auch hier erfolgt natürlich der Import des Schemas mit Hilfe des Befehls ldapadd.
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
Konfigurationscheck
Nachdem wir die benötigten Schematas alle importiert haben, können wir nun abschließend überprüfen, ob die neuen Schematas auch im Verzeichnisbaum zu finden sind.
# ldapsearch -W -x -D cn=config -b cn=config | grep cn=schema,cn=config
Enter LDAP Password:
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}inetorgperson,cn=schema,cn=config
dn: cn={3}nis,cn=schema,cn=config
Directory Information Tree
Zur Speicherung der Daten, die aus einem DN1) und einem eindeutigen Objektnamen bestehen, werden im DIT2), erfolgt bei unserem OpenLDAP_Verzeichnisdienmst in einer hierarchischen Baumstruktur. Die Wurzel (root bzw. suffix) ist das oberste Datenobjekt unter dem sich dann die höheren Datenstrukturen verzweigen.
Zur Übernahme bereits bestehender Nutzer aus den beiden Tabellen /etc/passwd und /etc/group unseres Servers werden wir nun zunächst einen passenden DIT anlegen. Hierzu legen wir uns nun eine passende LDIF-Datei für unsere verwendete Domäne nausch.org an, und speichern diese im Verzeichnis /etc/openldap/ldif/.
# vim /etc/openldap/ldif/cn\=config_DIT_nausch.org.ldif
- /etc/openldap/ldif/cn=config_DIT_nausch.org.ldif
# Django : 2015-07-16 # Erstellung des Directory Information Tree für die Domäne nausch.org # https://dokuwiki.nausch.org/doku.php/centos:ldap_c7:data?&#dit ## Build the root node : nausch.org dn: dc=nausch,dc=org dc: Nausch objectClass: top objectClass: dcObject objectClass: organizationalUnit ou: nausch Dot org ## Build the ou People, nausch.org dn: ou=People,dc=nausch,dc=org objectClass: top objectClass: organizationalUnit ou: People ## Build the ou Group, nausch.org dn: ou=Group,dc=nausch,dc=org objectClass: top objectClass: organizationalUnit ou: Group
Zum Importieren unseres DITs verwenden wir nun folgenden Aufruf. Das Passwort nach dem wir hier gefragt werden, haben wir im Kapitel Manager-Passwort bei der Installation unseres OpenLDAP Server unter CentOS 7.x angelegt.
# ldapadd -W -x -D cn=Manager,dc=nausch,dc=org -f /etc/openldap/ldif/cn\=config_DIT_nausch.org.ldif
Enter LDAP Password:
adding new entry "dc=nausch,dc=org" adding new entry "ou=People,dc=nausch,dc=org" adding new entry "ou=Group,dc=nausch,dc=org"
Anschließend überprüfen wir, ob unser DIT im OpenLDAP-Verzeichnisdienst richtig angelegt wurde.
# ldapsearch -W -x -D cn=config -b "dc=nausch,dc=org" "(objectclass=*)" -LLL -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password:
dn: dc=nausch,dc=org dc: Nausch objectClass: top objectClass: dcObject objectClass: organizationalUnit ou: nausch Dot org dn: ou=People,dc=nausch,dc=org objectClass: top objectClass: organizationalUnit ou: People dn: ou=Group,dc=nausch,dc=org objectClass: top objectClass: organizationalUnit ou: Group
Im Logfile des slapd-Daemon wird unsere erfolgreiche Abfrage entsprechend protokolliert.
# less /var/log/ldap.log
Jul 16 22:05:25 vml000037 slapd[14264]: conn=1008 fd=13 ACCEPT from IP=10.0.0.37:50876 (IP=0.0.0.0:636)
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 fd=13 TLS established tls_ssf=128 ssf=128
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=0 BIND dn="cn=config" method=128
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=0 RESULT tag=97 err=0 text=
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=1 SRCH base="dc=nausch,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=3 text=
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 op=2 UNBIND
Jul 16 22:05:26 vml000037 slapd[14264]: conn=1008 fd=13 closed
Benutzermigration mit Hilfe der migrationstools
In den seltensten Fällen haben wir eine Installation ohne jegliche Benutzer; in der Regel befinden sich auf unserem LINUX-System bereits angelegte Nutzer mit Ihren Konten. Diesen Nutzer wird immer eine UserID (uid) ab 1000 zugewiesen. Somit ist eine Unterscheidung zwischen realen Nutzern und technischen Nutzeraccounts relativ leicht möglich. Die hierzu erforderlichen Daten bekommen wir aus den beiden Dateien /etc/group und /etc/passwd.
Installation
Zur leichteren Übernahme der Nutzerdaten bedienen wir uns der Hilfsprogramme aus dem RPM-Paket migrationtools aus dem Base-Repository, welches wir nun zuerst installieren wollen.
# yum install migrationtools -y
Was uns dieses RPM-Paket alles an Hilfsmittel mitbringt zeigt uns ein Blick in das Paket selbst.
# rpm -qil migrationtools
Name : migrationtools Version : 47 Release : 15.el7 Architecture: noarch Install Date: Thu 16 Jul 2015 10:21:55 PM CEST Group : System Environment/Daemons Size : 108216 License : BSD Signature : RSA/SHA256, Fri 04 Jul 2014 05:47:45 AM CEST, Key ID 24c6a8a7f4a80eb5 Source RPM : migrationtools-47-15.el7.src.rpm Build Date : Tue 10 Jun 2014 05:32:33 AM CEST Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.padl.com/OSS/MigrationTools.html Summary : Migration scripts for LDAP Description : The MigrationTools are a set of Perl scripts for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing nameservices (flat files, NIS, and NetInfo) to LDAP. /usr/share/doc/migrationtools-47 /usr/share/doc/migrationtools-47/README /usr/share/doc/migrationtools-47/migration-tools.txt /usr/share/migrationtools /usr/share/migrationtools/migrate_aliases.pl /usr/share/migrationtools/migrate_all_netinfo_offline.sh /usr/share/migrationtools/migrate_all_netinfo_online.sh /usr/share/migrationtools/migrate_all_nis_offline.sh /usr/share/migrationtools/migrate_all_nis_online.sh /usr/share/migrationtools/migrate_all_nisplus_offline.sh /usr/share/migrationtools/migrate_all_nisplus_online.sh /usr/share/migrationtools/migrate_all_offline.sh /usr/share/migrationtools/migrate_all_online.sh /usr/share/migrationtools/migrate_automount.pl /usr/share/migrationtools/migrate_base.pl /usr/share/migrationtools/migrate_common.ph /usr/share/migrationtools/migrate_fstab.pl /usr/share/migrationtools/migrate_group.pl /usr/share/migrationtools/migrate_hosts.pl /usr/share/migrationtools/migrate_netgroup.pl /usr/share/migrationtools/migrate_netgroup_byhost.pl /usr/share/migrationtools/migrate_netgroup_byuser.pl /usr/share/migrationtools/migrate_networks.pl /usr/share/migrationtools/migrate_passwd.pl /usr/share/migrationtools/migrate_profile.pl /usr/share/migrationtools/migrate_protocols.pl /usr/share/migrationtools/migrate_rpc.pl /usr/share/migrationtools/migrate_services.pl /usr/share/migrationtools/migrate_slapd_conf.pl
Konfiguration
Vor der Migration unserer Daten ist es noch notwendig, das mitgelieferte Hilfsprogramm migrate_common.ph unserer Produktivumgebung anzupassen. Hierzu passen wir die beiden folgenden Parameter unserer Organisation an:
- $DEFAULT_MAIL_DOMAIN = „nausch.org“;
- $DEFAULT_BASE = „dc=nausch,dc=org“;
# vim /usr/share/migrationtools/migrate_common.ph
- vim /usr/share/migrationtools/migrate_common.ph
# # $Id: migrate_common.ph,v 1.22 2003/04/15 03:09:33 lukeh Exp $ # # Copyright (c) 1997-2003 Luke Howard. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by Luke Howard. # 4. The name of the other may not be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE LUKE HOWARD ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL LUKE HOWARD BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # Common defines for MigrationTools # # Naming contexts. Key is $PROGRAM with migrate_ and .pl # stripped off. $NETINFOBRIDGE = (-x "/usr/sbin/mkslapdconf"); if ($NETINFOBRIDGE) { $NAMINGCONTEXT{'aliases'} = "cn=aliases"; $NAMINGCONTEXT{'fstab'} = "cn=mounts"; $NAMINGCONTEXT{'passwd'} = "cn=users"; $NAMINGCONTEXT{'netgroup_byuser'} = "cn=netgroup.byuser"; $NAMINGCONTEXT{'netgroup_byhost'} = "cn=netgroup.byhost"; $NAMINGCONTEXT{'group'} = "cn=groups"; $NAMINGCONTEXT{'netgroup'} = "cn=netgroup"; $NAMINGCONTEXT{'hosts'} = "cn=machines"; $NAMINGCONTEXT{'networks'} = "cn=networks"; $NAMINGCONTEXT{'protocols'} = "cn=protocols"; $NAMINGCONTEXT{'rpc'} = "cn=rpcs"; $NAMINGCONTEXT{'services'} = "cn=services"; } else { $NAMINGCONTEXT{'aliases'} = "ou=Aliases"; $NAMINGCONTEXT{'fstab'} = "ou=Mounts"; $NAMINGCONTEXT{'passwd'} = "ou=People"; $NAMINGCONTEXT{'netgroup_byuser'} = "nisMapName=netgroup.byuser"; $NAMINGCONTEXT{'netgroup_byhost'} = "nisMapName=netgroup.byhost"; $NAMINGCONTEXT{'group'} = "ou=Group"; $NAMINGCONTEXT{'netgroup'} = "ou=Netgroup"; $NAMINGCONTEXT{'hosts'} = "ou=Hosts"; $NAMINGCONTEXT{'networks'} = "ou=Networks"; $NAMINGCONTEXT{'protocols'} = "ou=Protocols"; $NAMINGCONTEXT{'rpc'} = "ou=Rpc"; $NAMINGCONTEXT{'services'} = "ou=Services"; } # Default DNS domain # Django : 2015-07-16 # default: $DEFAULT_MAIL_DOMAIN = "padl.com"; $DEFAULT_MAIL_DOMAIN = "nausch.org"; # Default base # Django : 2015-07-16 # default: $DEFAULT_BASE = "dc=padl,dc=com"; $DEFAULT_BASE = "dc=nausch,dc=org"; # Turn this on for inetLocalMailReceipient # sendmail support; add the following to # sendmail.mc (thanks to Petr@Kristof.CZ): ##### CUT HERE ##### #define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl #LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl #FEATURE(ldap_routing)dnl ##### CUT HERE ##### # where /etc/mail/ldapdomains contains names of ldap_routed # domains (similiar to MASQUERADE_DOMAIN_FILE). # $DEFAULT_MAIL_HOST = "mail.padl.com"; # turn this on to support more general object clases # such as person. $EXTENDED_SCHEMA = 0; # # allow environment variables to override predefines # if (defined($ENV{'LDAP_BASEDN'})) { $DEFAULT_BASE = $ENV{'LDAP_BASEDN'}; } if (defined($ENV{'LDAP_DEFAULT_MAIL_DOMAIN'})) { $DEFAULT_MAIL_DOMAIN = $ENV{'LDAP_DEFAULT_MAIL_DOMAIN'}; } if (defined($ENV{'LDAP_DEFAULT_MAIL_HOST'})) { $DEFAULT_MAIL_HOST = $ENV{'LDAP_DEFAULT_MAIL_HOST'}; } # binddn used for alias owner (otherwise uid=root,...) if (defined($ENV{'LDAP_BINDDN'})) { $DEFAULT_OWNER = $ENV{'LDAP_BINDDN'}; } if (defined($ENV{'LDAP_EXTENDED_SCHEMA'})) { $EXTENDED_SCHEMA = $ENV{'LDAP_EXTENDED_SCHEMA'}; } # If we haven't set the default base, guess it automagically. if (!defined($DEFAULT_BASE)) { $DEFAULT_BASE = &domain_expand($DEFAULT_MAIL_DOMAIN); $DEFAULT_BASE =~ s/,$//o; } # Default Kerberos realm #if ($EXTENDED_SCHEMA) { # $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN; # $DEFAULT_REALM =~ tr/a-z/A-Z/; #} if (-x "/usr/sbin/revnetgroup") { $REVNETGROUP = "/usr/sbin/revnetgroup"; } elsif (-x "/usr/lib/yp/revnetgroup") { $REVNETGROUP = "/usr/lib/yp/revnetgroup"; } $classmap{'o'} = 'organization'; $classmap{'dc'} = 'domain'; $classmap{'l'} = 'locality'; $classmap{'ou'} = 'organizationalUnit'; $classmap{'c'} = 'country'; $classmap{'nismapname'} = 'nisMap'; $classmap{'cn'} = 'container'; sub parse_args { if ($#ARGV < 0) { print STDERR "Usage: $PROGRAM infile [outfile]\n"; exit 1; } $INFILE = $ARGV[0]; if ($#ARGV > 0) { $OUTFILE = $ARGV[1]; } } sub open_files { open(INFILE); if ($OUTFILE) { open(OUTFILE,">$OUTFILE"); $use_stdout = 0; } else { $use_stdout = 1; } } # moved from migrate_hosts.pl # lukeh 10/30/97 sub domain_expand { local($first) = 1; local($dn); local(@namecomponents) = split(/\./, $_[0]); foreach $_ (@namecomponents) { $first = 0; $dn .= "dc=$_,"; } $dn .= $DEFAULT_BASE; return $dn; } # case insensitive unique sub uniq { local($name) = shift(@_); local(@vec) = sort {uc($a) cmp uc($b)} @_; local(@ret); local($next, $last); foreach $next (@vec) { if ((uc($next) ne uc($last)) && (uc($next) ne uc($name))) { push (@ret, $next); } $last = $next; } return @ret; } # concatenate naming context and # organizational base sub getsuffix { local($program) = shift(@_); local($nc); $program =~ s/^migrate_(.*)\.pl$/$1/; $nc = $NAMINGCONTEXT{$program}; if ($nc eq "") { return $DEFAULT_BASE; } else { return $nc . ',' . $DEFAULT_BASE; } } sub ldif_entry { # remove leading, trailing whitespace local ($HANDLE, $lhs, $rhs) = @_; local ($type, $val) = split(/\=/, $lhs); local ($dn); if ($rhs ne "") { $dn = $lhs . ',' . $rhs; } else { $dn = $lhs; } $type =~ s/\s*$//o; $type =~ s/^\s*//o; $type =~ tr/A-Z/a-z/; $val =~ s/\s*$//o; $val =~ s/^\s*//o; print $HANDLE "dn: $dn\n"; print $HANDLE "$type: $val\n"; print $HANDLE "objectClass: top\n"; print $HANDLE "objectClass: $classmap{$type}\n"; if ($EXTENDED_SCHEMA) { if ($DEFAULT_MAIL_DOMAIN) { print $HANDLE "objectClass: domainRelatedObject\n"; print $HANDLE "associatedDomain: $DEFAULT_MAIL_DOMAIN\n"; } } print $HANDLE "\n"; } # Added Thu Jun 20 16:40:28 CDT 2002 by Bob Apthorpe # <apthorpe@cynistar.net> to solve problems with embedded plusses in # protocols and mail aliases. sub escape_metacharacters { local($name) = @_; # From Table 3.1 "Characters Requiring Quoting When Contained # in Distinguished Names", p87 "Understanding and Deploying LDAP # Directory Services", Howes, Smith, & Good. # 1) Quote backslash # Note: none of these are very elegant or robust and may cause # more trouble than they're worth. That's why they're disabled. # 1.a) naive (escape all backslashes) # $name =~ s#\\#\\\\#og; # # 1.b) mostly naive (escape all backslashes not followed by # a backslash) # $name =~ s#\\(?!\\)#\\\\#og; # # 1.c) less naive and utterly gruesome (replace solitary # backslashes) # $name =~ s{ # Replace # (?<!\\) # negative lookbehind (no preceding backslash) # \\ # a single backslash # (?!\\) # negative lookahead (no following backslash) # } # { # With # \\\\ # a pair of backslashes # }gx; # Ugh. Note that s#(?:[^\\])\\(?:[^\\])#////#g fails if $name # starts or ends with a backslash. This expression won't work # under perl4 because the /x flag and negative lookahead and # lookbehind operations aren't supported. Sorry. Also note that # s#(?:[^\\]*)\\(?:[^\\]*)#////#g won't work either. Of course, # this is all broken if $name is already escaped before we get # to it. Best to throw a warning and make the user import these # records by hand. # 2) Quote leading and trailing spaces local($leader, $body, $trailer) = (); if (($leader, $body, $trailer) = ($name =~ m#^( *)(.*\S)( *)$#o)) { $leader =~ s# #\\ #og; $trailer =~ s# #\\ #og; $name = $leader . $body . $trailer; } # 3) Quote leading octothorpe (#) $name =~ s/^#/\\#/o; # 4) Quote comma, plus, double-quote, less-than, greater-than, # and semicolon $name =~ s#([,+"<>;])#\\$1#g; return $name; } 1;
Datenselektion
Da wir nicht alle Nutzer, sondern nur die realen Benutzer in den DIT übernehmen wollen, extrahieren wir alle Nutzer aus der /etc/group und /etc/passwd deren UID größer oder gleich 1000 ist und legen diesen in zwei eigenen Dateien ab.
# grep ":1[0-9][0-9][0-9]" /etc/group > /etc/openldap/ldif/group
Es wird folgende Datei erstellt.
# cat /etc/openldap/ldif/group
django:x:1000:django michael:x:1001:michael inge:x:1002:inge rebekka:x:1003:rebekka jakob:x:1004:jakob ruben:x:1005:ruben leah:x:1006:leah markus:x:1007:markus gertraud:x:1008:gertraud johann:x:1009:johann
# grep ":1[0-9][0-9][0-9]" /etc/passwd > /etc/openldap/ldif/passwd
Es wird folgende Datei erstellt.
# cat /etc/openldap/ldif/passwd
django:x:1000:1000:django:/home/django:/bin/bash michael:x:1001:1001:michael:/home/michael:/bin/bash inge:x:1002:1002:inge:/home/inge:/bin/bash rebekka:x:1003:1003:rebekka:/home/rebekka:/bin/bash jakob:x:1004:1004:jakob:/home/jakob:/bin/bash ruben:x:1005:1005:ruben:/home/ruben:/bin/bash leah:x:1006:1006:leah:/home/leah:/bin/bash markus:x:1007:1007:markus:/home/markus:/bin/bash gertraud:x:1008:1008:gertraud:/home/gertraud:/bin/bash johann:x:1009:1009:johann:/home/johann:/bin/bash
Datenmigration
Nun ist es an der Zeit unsere Nutzerdaten aus den zuvor angelegten temporären Dateien in entsprechende .ldif Dateien zu konvertieren. Hierzu nutzen wir die Hilfsprogramme aus dem zuvor installiertem RPM Paket migrationtools:
- migrate_passwd.pl
- migrate_group.pl
Wir erstellen also nun die beiden .ldif-Dateien.
# /usr/share/migrationtools/migrate_group.pl /etc/openldap/ldif/group > cn\=config_GroupDN.ldif
# /usr/share/migrationtools/migrate_passwd.pl /etc/openldap/ldif/passwd > cn\=config_PeopleDN.ldif
Aus der Datei /etc/openldap/ldif/group mit dem Inhalt
django:x:1000:django michael:x:1001:michael inge:x:1002:inge rebekka:x:1003:rebekka jakob:x:1004:jakob ruben:x:1005:ruben leah:x:1006:leah markus:x:1007:markus gertraud:x:1008:gertraud johann:x:1009:johann
wurde also die Datei /etc/openldap/ldif/cn\=config_GroupDN.ldif mit dem Inhalt
dn: cn=django,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: django userPassword: {crypt}x gidNumber: 1000 memberUid: 1000 dn: cn=michael,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: michael userPassword: {crypt}x gidNumber: 1001 memberUid: 1001 dn: cn=inge,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: inge userPassword: {crypt}x gidNumber: 1002 memberUid: 1002 dn: cn=rebekka,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: rebekka userPassword: {crypt}x gidNumber: 1003 memberUid: 1003 dn: cn=jakob,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: jakob userPassword: {crypt}x gidNumber: 1004 memberUid: 1004 dn: cn=ruben,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: ruben userPassword: {crypt}x gidNumber: 1005 memberUid: 1005 dn: cn=leah,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: leah userPassword: {crypt}x gidNumber: 1006 memberUid: 1006 dn: cn=markus,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: markus userPassword: {crypt}x gidNumber: 1007 memberUid: 1007 dn: cn=gertraud,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: gertraud userPassword: {crypt}x gidNumber: 1008 memberUid: 1008 dn: cn=johann,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: johann userPassword: {crypt}x gidNumber: 1009 memberUid: 1009
generiert.
Aus der Datei /etc/openldap/ldif/passwd mit dem Inhalt
django:x:1000:1000:django:/home/django:/bin/bash michael:x:1001:1001:michael:/home/michael:/bin/bash inge:x:1002:1002:inge:/home/inge:/bin/bash rebekka:x:1003:1003:rebekka:/home/rebekka:/bin/bash jakob:x:1004:1004:jakob:/home/jakob:/bin/bash ruben:x:1005:1005:ruben:/home/ruben:/bin/bash leah:x:1006:1006:leah:/home/leah:/bin/bash markus:x:1007:1007:markus:/home/markus:/bin/bash gertraud:x:1008:1008:gertraud:/home/gertraud:/bin/bash johann:x:1009:1009:johann:/home/johann:/bin/bash
wurde also die Datei /etc/openldap/ldif/cn\=config_PeopleDN.ldif mit dem Inhalt
dn: uid=django,ou=People,dc=nausch,dc=org uid: django cn: django objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$6$34os/lDDY2cAEfyW$fqe3PP3Qo5FDAtC724a7plCieqgeYCWONkaKgYnQKm5iDx/3WtCq8Tv0VA2MLkYAhW9/IySlhFIJZIU0UyiOv/ shadowLastChange: 16617 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/django gecos: django dn: uid=michael,ou=People,dc=nausch,dc=org uid: michael cn: michael objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/lDDY2cAEfyW$fqe3PP3Qo5FDAtC724a7plCieqgeYCWONkaKgYnQKm5iDx/3WtCq8Tv0VA2MLkYAhW9 loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/michael gecos: michael dn: uid=inge,ou=People,dc=nausch,dc=org uid: inge cn: inge objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/lDf98723jyX$fqe24a7plCDY2cAEfyW5FDAtwdfC$f3PP3gYnosHSenpncs5FDAtC724a7Tv0VA2MLk loginShell: /bin/bash uidNumber: 1002 gidNumber: 1002 homeDirectory: /home/inge gecos: inge dn: uid=rebekka,ou=People,dc=nausch,dc=org uid: rebekka cn: rebekka objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/lDDY2cAEfy$Afqe3PP3Qo5FDAtC7o5FDAtC724a7po5FDAtC7lCieo5FDAtC7qgeYCWONkaKgYnQKm5 loginShell: /bin/bash uidNumber: 1003 gidNumber: 1003 homeDirectory: /home/rebekka gecos: rebekka dn: uid=jakob,ou=People,dc=nausch,dc=org uid: jakob cn: jakob objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/lCDY5cmEffqe3PP3QfyW$fqe2cAEfy$Afqe3PP3Q4a7plCDtC724a7Y2cAEfyW5FDAtCtC724a7$f3P loginShell: /bin/bash uidNumber: 1004 gidNumber: 1004 homeDirectory: /home/jakob gecos: jakob dn: uid=ruben,ou=People,dc=nausch,dc=org uid: ruben cn: ruben objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/o5FDAtC724a7plCieqlDDY2cAEfyW$plCieqlfqe3PP3Qo5FDAtYCWOC72C724a7pYnQKm5ilCieqge loginShell: /bin/bash uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/ruben gecos: ruben dn: uid=leah,ou=People,dc=nausch,dc=org uid: leah cn: leah objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/e3PP3Qo5FDAtC724a7plfy$Afqe3PCieqgeYCWOC724a7po5FDAtNkaKgYnQKm5iDx/3WtCMLkYAhW9 loginShell: /bin/bash uidNumber: 1006 gidNumber: 1006 homeDirectory: /home/leah gecos: leah dn: uid=markus,ou=People,dc=nausch,dc=org uid: markus cn: markus objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/AEfy$AfqelDfyW$fqe24a7plCDY2cApllDDEfyW5FDAtC$lCieqgeEfyWw140867f3PP3gYno5FDA3P loginShell: /bin/bash uidNumber: 1007 gidNumber: 1007 homeDirectory: /home/markus gecos: markus dn: uid=gertraud,ou=People,dc=nausch,dc=org uid: gertraud cn: gertraud objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/3PP3Qo5FDAtC724a7pllDDY2cAEfyW$fqe3PP3Qo5FDAta7pllDDYC724a7plCieqgeEfyWw140867d loginShell: /bin/bash uidNumber: 1008 gidNumber: 1008 homeDirectory: /home/gertraud gecos: gertraud dn: uid=johann,ou=People,dc=nausch,dc=org uid: johann cn: johann objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}$6$34os/a7plCDY2cAEfyW5FlDfyW$fqe24fyW5Fa7plCDY2cAEfyW5FDAtC$f3fyW5FPP3gYno5FDAtC724a7p loginShell: /bin/bash uidNumber: 1009 gidNumber: 1009 homeDirectory: /home/johann gecos: johann
generiert.
Datenübernahme in den DIT
Nachdem wir die Nutzerdaten aus dem/einem System migriert haben, werden wir nun mit dem Befehl ldapadd die gerade generierten LDIF-Dateien in den DIT importieren.
Als erstes importieren wir den DN3) Group.
# ldapadd -W -x -D cn=Manager,dc=nausch,dc=org -f /etc/openldap/ldif/cn\=config_GroupDN.ldif
Enter LDAP Password:
adding new entry "cn=django,ou=Group,dc=nausch,dc=org" adding new entry "cn=michael,ou=Group,dc=nausch,dc=org" adding new entry "cn=inge,ou=Group,dc=nausch,dc=org" adding new entry "cn=rebekka,ou=Group,dc=nausch,dc=org" adding new entry "cn=jakob,ou=Group,dc=nausch,dc=org" adding new entry "cn=ruben,ou=Group,dc=nausch,dc=org" adding new entry "cn=leah,ou=Group,dc=nausch,dc=org" adding new entry "cn=markus,ou=Group,dc=nausch,dc=org" adding new entry "cn=gertraud,ou=Group,dc=nausch,dc=org" adding new entry "cn=johann,ou=Group,dc=nausch,dc=org"
Anschließend importieren wir den DN People.
# ldapadd -W -x -D cn=Manager,dc=nausch,dc=org -f /etc/openldap/ldif/cn\=config_PeopleDN.ldif
Enter LDAP Password:
adding new entry "uid=django,ou=People,dc=nausch,dc=org" adding new entry "uid=michael,ou=People,dc=nausch,dc=org" adding new entry "uid=inge,ou=People,dc=nausch,dc=org" adding new entry "uid=rebekka,ou=People,dc=nausch,dc=org" adding new entry "uid=jakob,ou=People,dc=nausch,dc=org" adding new entry "uid=ruben,ou=People,dc=nausch,dc=org" adding new entry "uid=leah,ou=People,dc=nausch,dc=org" adding new entry "uid=markus,ou=People,dc=nausch,dc=org" adding new entry "uid=gertraud,ou=People,dc=nausch,dc=org" adding new entry "uid=johann,ou=People,dc=nausch,dc=org"
abschließender Test
Für den abschliessenden Test, ob die Datenmigration aus den filebasierenden Dateien in den DIT unseres OpenLADP-Servers geklappt hat, befragen wir unseren LDAP-Server nach den Daten zum User django.
# ldapsearch -W -x -D cn=config -b "uid=django,ou=People,dc=nausch,dc=org" -LLL -H ldaps://openldap.dmz.nausch.org
Enter LDAP Password:
dn: uid=django,ou=People,dc=nausch,dc=org
uid: django
cn: django
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB1lu0fSQ2JDM0b3MvbERE8zVWTJjQUVmeVckZnFlM1BQM1FXRDNzI0YTd
wbEuUUttNpZXFnZVlDV09Oa2FLZ1luUUttNWlEeC8zV3RDcThUdjBWQTJNTGtZM0b3QWhXOS9e2pJ
VTWlEeC8di8=
shadowLastChange: 16617
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/django
gecos: django
Unsere erfolgreiche Abfrage erzeugt einen entsprechendnen Eintrag im Logfile des slapd-Daemon.
# less /var/log/ldap.log
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 fd=13 ACCEPT from IP=10.0.0.37:52275 (IP=0.0.0.0:636)
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 fd=13 TLS established tls_ssf=128 ssf=128
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=0 BIND dn="cn=config" method=128
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=0 RESULT tag=97 err=0 text=
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=1 SRCH base="uid=django,ou=People,dc=nausch,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 op=2 UNBIND
Jul 16 23:26:21 vml000037 slapd[14264]: conn=1020 fd=13 closed
Zu guter letzt befragen wir nun noch unseren LDAP-Server nach den Daten der Gruppe django.
# ldapsearch -x -b "cn=django,ou=Group,dc=nausch,dc=org" "(objectclass=*)"
# extended LDIF # # LDAPv3 # base <cn=django,ou=Group,dc=nausch,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # django, Group, nausch.org dn: cn=django,ou=Group,dc=nausch,dc=org objectClass: posixGroup objectClass: top cn: django userPassword:: e2NyeXB0fXg= gidNumber: 1000 memberUid: 1000 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Natürlich wurde auch hier unsere Abfrage im LDAP-Log dokumentiert.
# less /var/log/ldap.log
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 fd=13 ACCEPT from IP=[::1]:44084 (IP=[::]:389)
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=0 BIND dn="" method=128
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=0 RESULT tag=97 err=0 text=
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=1 SRCH base="cn=django,ou=Group,dc=nausch,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 op=2 UNBIND
Jul 16 23:40:26 vml000037 slapd[14264]: conn=1038 fd=13 closed
DIT Indizes
Abfrage der Indizes
Wollen wir später einzelne Index Felder im DIT anpassen, müssen wir natürlich wissen wie die derzeitigen Felder indiziert wurden. Hierzu lassen wir uns die existierende Indizierung der Felder anzeigen.
Hierzu nutzen wir nun folgenden Befehlsaufruf.
# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
Enter LDAP Password:
# extended LDIF # # LDAPv3 # base <olcDatabase={2}hdb,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=nausch,dc=org olcRootDN: cn=Manager,dc=nausch,dc=org olcRootPW: {SSHA}lfeku/uaD4x1i$7n3931Le54U111 olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Für die Felder objectClass und ou,cn,mail,surname,givenname besteht bereits ein Index. Folgende beiden Zeilen sind aus der obigen Ausgabe:
- olcDbIndex: objectClass eq,pres
- olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
Dies entspricht nachfolgender Tabelle.
Felder | Attribute | Beschreibungen | ||
---|---|---|---|---|
eq | pres | sub | gleich Anzeige Teilzeichenkette |
|
objectClass | ||||
ou | ||||
cn | ||||
surname | ||||
givenname |
Erfolgt ein Zugriff auf ein Fled im OpenLDAP-Verzeichnisbaum bei dem kein Index definiert wurde, wird dazu im LDAP-Log /var/log/ldap-log nachfolgender Hinweis zu finden sein.
Jul 17 12:32:53 vml000037 slapd[14264]: <= bdb_equality_candidates: (uid) not indexed
Setzen der Indizes (LDIF)
Für die Felder in der folgenden Tabelle wollen wir nun noch Indizes erstellen.
Felder | Attribute | Beschreibungen | ||
---|---|---|---|---|
eq | pres | sub | gleich Anzeige Teilzeichenkette |
|
uidNumber | ||||
gidNumber | ||||
loginShell | ||||
uid | ||||
memberUid | ||||
nisMapName | ||||
nisMapEntry | ||||
uniqueMember |
Zu dieser Tabelle erstellen wir uns nun eine passende LDIF-Datei.
# vim /etc/openldap/ldif/cn=\config_DbIndex.ldif
- /etc/openldap/ldif/cn=config_DbIndex.ldif
# Django : 2015-07-17 # Erstellen von zusätzlichen Indizes für Felder im DIT # https://dokuwiki.nausch.org/doku.php/centos:ldap_c7:data?&#setzen_der_indizes_ldif dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber,gidNumber,loginShell eq,pres olcDbIndex: uid,memberUid eq,pres,sub olcDbIndex: nisMapName,nisMapEntry eq,pres,sub olcDbIndex: uniqueMember eq,pres
Anschließend importieren wir diese Daten in unseren DIT.
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/cn=\config_DbIndex.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config"
Überprüfen der gesetzten Indizes
Zu guter letzt lassen wir uns erneut anzeigen für welche Felder im DIT Indizies gesetzt sind. Dazu verwenden wir folgenden Befehl.
# ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
Enter LDAP Password:
# extended LDIF # # LDAPv3 # base <olcDatabase={2}hdb,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=nausch,dc=org olcRootDN: cn=Manager,dc=nausch,dc=org olcRootPW: {SSHA}lfeku/uaD4x1i$7n3931Le54U111 olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber,gidNumber,loginShell eq,pres olcDbIndex: uid,memberUid eq,pres,sub olcDbIndex: nisMapName,nisMapEntry eq,pres,sub olcDbIndex: uniqueMember eq,pres # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1