| |
Schema Checking: The validity of an LDAP Entry |
|
|
Subject: Schema Checking: The validity of an LDAP Entry
Author: eLDAP
Posted on: 08/09/2006 09:36:18 PM
When an entry is added or modified through an LDAP operation, the entry is checked against the schema for the following conditions:
Object Class
Must have at least one value of attribute type "objectClass".
Must have at least one structural object class. (e.g. 'inetOrgPerson', 'organizationalPerson', 'person')
Can have any number of auxiliary object classes including zero.
Can have any number of abstract object classes, but only as a result of class inheritance. (e.g. 'top')
Must have exactly one immediate or base structural object class. (e.g. 'inetOrgPerson')
Cannot change its immediate structural object class
Attribute Type
The set of attribute types of the entry MUST contain those listed in MUST lists of all of its object classes, including the implied inherited object classes.
The set of attribute types of the entry MUST be contained by those listed in MUST or MAY lists of all of its object classes, including the implied inherited object classes.
Attribute Value
If the attribute type is SINGLE-VALUED and the entry has more than one value, the entry is invalid.
If the attribute value does not comply with the syntax of that attribute, the entry is invalid.
RDN
RDN MUST made up with only attribute types that are valid for that entry.
The values of attribute types used in the RDN appear in the entry.
It should be noted that RDN checking, theoretically, is not LDAP schema specs. The implementation of RDN enforcement is up to vendors. For example, IBM enforces RDN checking; SunOne and AD do not enforce it but RDN is automatically added as attribute while built up the entry into LDAP DIT
Replies:
References:
|
|
|
|
