go to  ForumEasy.com   
LdapPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » LDAP Model, Schema & LDIF » Schema Checking: The validity of an LDAP Entry
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: Schema Checking: The validity of an LDAP Entry
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 08/09/2006 09:36:18 PM    Edit  |   Quote  |   Report 
Schema Checking: The validity of an LDAP Entry

When an entry is added or modified through an LDAP operation, the entry is checked against the schema for the following conditions:

Object Class
  • Must have at least one value of attribute type "objectClass".
  • Must have at least one structural object class. (e.g. 'inetOrgPerson', 'organizationalPerson', 'person')
  • Can have any number of auxiliary object classes including zero.
  • Can have any number of abstract object classes, but only as a result of class inheritance. (e.g. 'top')
  • Must have exactly one immediate or base structural object class. (e.g. 'inetOrgPerson')
  • Cannot change its immediate structural object class

    Attribute Type
  • The set of attribute types of the entry MUST contain those listed in MUST lists of all of its object classes, including the implied inherited object classes.
  • The set of attribute types of the entry MUST be contained by those listed in MUST or MAY lists of all of its object classes, including the implied inherited object classes.

    Attribute Value
  • If the attribute type is SINGLE-VALUED and the entry has more than one value, the entry is invalid.
  • If the attribute value does not comply with the syntax of that attribute, the entry is invalid.

    RDN
  • RDN MUST made up with only attribute types that are valid for that entry.
  • The values of attribute types used in the RDN appear in the entry.


    It should be noted that RDN checking, theoretically, is not LDAP schema specs. The implementation of RDN enforcement is up to vendors. For example, IBM enforces RDN checking; SunOne and AD do not enforce it but RDN is automatically added as attribute while built up the entry into LDAP DIT

    •  Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/09/2006 09:37:30 PM    Edit  |   Quote  |   Report 
    Schema Checking: A valid example

    The following entry is a valid one.

    dn: uid=Babs_Jensen,ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Babs Jensen
sn: Jensen
givenname: Barbara
mail: bjensen@example.com


     Profile | Reply Points Earned: 0
    eLDAP
    member
    offline   
     
    posts: 107
    joined: 08/02/2006
    from: Austin, TX
      posted on: 08/09/2006 09:39:38 PM    Edit  |   Quote  |   Report 
    Schema Checking: An invalid entry example
    The following entry is a invalid one. 

    dn: uid=Babs_Jensen,ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
objectClass: strongAuthenticationUser
cn: Babs Jensen
sn: Jensen
userCertificate:: GXas3KaSd...
givenname: Barbara
mail: bjensen@example.com

    A MUST attribute 'userCertificate' is missing, which is required in the auxiliary object class 'strongAuthenticationUser'


     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.