directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r865805 - in /websites/staging/directory/trunk/content: ./ apacheds/basic-ug/2.3.1-adding-schema-elements.html apacheds/basic-ug/images/schema-browser-person.png apacheds/basic-ug/images/schema-browser-tree.png
Date Sun, 16 Jun 2013 07:22:06 GMT
Author: buildbot
Date: Sun Jun 16 07:22:05 2013
New Revision: 865805

Staging update by buildbot for directory

  (with props)
  (with props)
    websites/staging/directory/trunk/content/   (props changed)

Propchange: websites/staging/directory/trunk/content/
--- cms:source-revision (original)
+++ cms:source-revision Sun Jun 16 07:22:05 2013
@@ -1 +1 @@

Modified: websites/staging/directory/trunk/content/apacheds/basic-ug/2.3.1-adding-schema-elements.html
--- websites/staging/directory/trunk/content/apacheds/basic-ug/2.3.1-adding-schema-elements.html
+++ websites/staging/directory/trunk/content/apacheds/basic-ug/2.3.1-adding-schema-elements.html
Sun Jun 16 07:22:05 2013
@@ -138,6 +138,109 @@
 <h1 id="231-adding-schema-elements">2.3.1 - Adding Schema Elements</h1>
+<h2 id="motivation">Motivation</h2>
+<p>The schema of an LDAP server is comprised of object classes, attributes, syntaxes
and matching rules. Basically it defines which entries are allowed within the server and how
the server should handle them</p>
+<DIV class="info" markdown="1">
+**Is it always necessary to define my own schema elements?**
+No. ApacheDS comes with a comprehensive set of predefined, standardized schema elements (like
inetOrgPerson). It is quite common to solely use the predefined schema. The same holds true
for other directory servers, by the way.
+<p>In the following text the addition of user defined schema elements to the schema
is described in tutorial style. </p>
+<h2 id="browsing-apacheds-schemas">Browsing ApacheDS schemas</h2>
+<p>LDAPv3 servers publish their schema via LDAP. Thus it is possible to list the schema
elements with standard LDAP tools. For instance it is possible to use the ldapsearch command
line tool to list all object classes</p>
+<div class="codehilite"><pre>$ ldapsearch -h zanzibar -p 10389 -D &quot;uid=admin,ou=system&quot;
-w ****** \
+     -b &quot;cn=schema&quot; -s base &quot;(objectclass=subschema)&quot;
+objectClasses: ( NAME &#39;person&#39; DESC &#39;RFC2256: a person&#39;
SUP top 
+    STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ 
+    seeAlso $ description ) X-SCHEMA &#39;core&#39; )
+<p>The output (formatted as defines in RFC 4512) contains all things which are interesting
to know about an object class (required attributes, optional attributes etc.), but is not
easy to read by a human user. It is therefore often appropriate to use a GUI tool to browse
the schema (which basically performs the same search operations but presents the output prettily).
One option is Apache Directory Studio, an Eclipse based LDAP tool set which contains a powerful
graphical Schema browser:</p>
+<p><img alt="Schema brower" src="images/schema-browser-person.png" /></p>
+<p>The techniques described above work for all LDAP v3 compliant servers. The ability
to browse the schema gives us a chance to check whether our future changes to the schema really
took place.</p>
+<p>The schema subsystem of ApacheDS 1.5 stores the schema elements as entries in the
DIT. You can find them within a special partition with suffix ou=schema; simply browse the
content with your favorite LDAP Browser. With Apache Directory Studio, it looks like this:</p>
+<p><img alt="ApacheDS Schemas" src="images/schema-browser-tree.png" /></p>
+<p>Browsing the schema like this gives a good impression of the ApacheDS implementation
of the schema subsystem and an even better way to analyze effects during schema updates. But
keep in mind that the storage scheme is server dependent; not all LDAP server implementations
store the schema elements in the DIT.</p>
+<h2 id="which-oids-should-you-use">Which OIDs should you use?</h2>
+<p>If you plan to add custom schema elements, you need numerical OIDs (object identifiers)
for them. If you implement schema elements defined somewhere else (like eduPerson), you can
use the OIDs which are are part of their descriptions. But what if you plan to design your
+<h3 id="some-oid-background-information">Some OID background information</h3>
+<p>An OID is a string formed by a series of numbers which are seperated by a dot (like
"12.4.1971.0.1"). Many elements in directory world use OIDs: Controls, extended operations
and schema elements (like "" for object class person). They identify these objects
in a unique fashion and therefore avoid name clashes.</p>
+<p>How is this accomplished? OIDs are assigned hierarchically: The owner of an OID
is allowed to create new IDs by simply appending numbers. S/he is also allowed to delegate
ownership of newly created OIDs to someone else. This way every person or organization is
able to allocate an arbitrary number of new OIDs after obtaining one from "higher command",
and they are still unique world-wide.</p>
+<h3 id="oids-in-the-example">OIDs in the example</h3>
+<p>OIDs starting with <strong></strong> represent IANA-registered
private enterprises, Apache Software Foundation for instance owns the OID <strong></strong>.
The <strong></strong> has been assigned to the Apache Directory
project by the ASF, and we have decided to use the branch "" for schema
elements used as examples in the documentation. </p>
+<h3 id="oids-for-your-own-custom-schema-elements">OIDs for your own custom schema elements</h3>
+<p>If you just want to play around with the schema subsystem, want to explore the capabilities,
or learn about LDAP in general, you will probably not mind about unique OIDs. This is comparable
to using self-signed certificates for SSL experiments. But it is nevertheless necessary that
you use OIDs which are not used in the schema yet (otherwise addition will fail).</p>
+<p>But if you plan to use your schema elements in a production environment (an object
class for instance which describes employees with company specific attributes), or to ship
your schema elements with a product (e.g. a CRM or portal solution), you should definitely
use unique OIDs. In order to do this you have to obtain OIDs from a branch assigned to your
company or organization (your network administrators will be helpful here, do not invent OIDs
without asking or obtaining a branch from someone who owns the prefix OID). If your company
or organization does not own on OID, there are several option to obtain one, one is the IANA
(Internet Assigned Numbers Authority). It is also possible to get an OID branch as an individual.</p>
+<DIV class="info" markdown="1">
+**Obtaining a PEN**
+You can ask for your own PEN (Private Enterprise Number) here :
+It takes a few weeks to have a private OID assigned to you, so be patient, or do it early
+## A simple example
+The goal is to store ship entries in our directory, backing the "Seven Seas" example used
throughout the Basic User's Guide. There are no schema elements shipped with ApacheDS covering
our naval requirements. So we add some.
+Here is a sample entry for a ship in LDIF:
+    ::: text
+    dn: cn=HMS Victory,ou=ships,o=sevenSeas
+    objectClass: top
+    objectClass: ship
+    cn: HMS Victory
+    numberOfGuns: 104
+    description: a ship of the line of the Royal Navy
+    description: built between 1759 and 1765
+A ship entry is comprised of a mandatory value for common name (cn) of the ship, description
values and the number of guns (numberOfGuns). Thus a new object class ship and a new attribute
type numberOfGuns have to be added to the schema. There are different ways to accomplish the
task. In any case, we have to add the attribute type first, because the object class refers
to it.
+#### attribute type numberOfGuns
+Here is the definition of our custom attribute type numberOfGuns formatted according to RFC
+    ::: text
+    ( 
+     NAME 'numberOfGuns'  DESC 'Number of guns of a ship'
+     EQUALITY integerMatch SYNTAX 
+    )
+#### object class ship
+Custom object class ship is defined as follows
+    ::: text
+    ( 
+     NAME 'ship' DESC 'An entry which represents a ship' 
+     MUST cn MAY ( numberOfGuns $ description ) 
+    )
+## Using Apache Directory Studio Schema Editor to load the new schema elements
+A very convenient way to add your own schema elements to Apache Directory Server is to use
the Schema Editor of Apache Directory Studio. It is even possible to define/design them within
the UI, but we opt here use a prepared file in OpenLDAP format and import it using Studio.
This is a good choice if you have the schema to add already described that way.
+Our file sevenSeas.schema looks like this:
+    ::: text
+    attributetype ( 
+            NAME 'numberOfGuns' 
+            DESC 'Number of guns of a ship'
+            EQUALITY integerMatch
+            SYNTAX 
+            SINGLE-VALUE 
+     )
+    objectclass ( 
+            NAME 'ship'
+            DESC 'An entry which represents a ship' 
+            SUP top 
+            STRUCTURAL 
+            MUST cn 
+            MAY ( numberOfGuns $ description ) 
+     )
     <div class="nav">

Added: websites/staging/directory/trunk/content/apacheds/basic-ug/images/schema-browser-person.png
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/basic-ug/images/schema-browser-person.png
    svn:mime-type = image/png

Added: websites/staging/directory/trunk/content/apacheds/basic-ug/images/schema-browser-tree.png
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/basic-ug/images/schema-browser-tree.png
    svn:mime-type = image/png

View raw message