Author |
Topic: Schema Checking: The validity of an LDAP Entry |
|
eLDAP member offline |
|
posts: |
107 |
joined: |
08/02/2006 |
from: |
Austin, TX |
|
|
|
|
|
Schema Checking: The validity of an LDAP Entry |
When an entry is added or modified through an LDAP operation, the entry is checked against the schema for the following conditions:
Object Class Must have at least one value of attribute type "objectClass". Must have at least one structural object class. (e.g. 'inetOrgPerson', 'organizationalPerson', 'person') Can have any number of auxiliary object classes including zero. Can have any number of abstract object classes, but only as a result of class inheritance. (e.g. 'top') Must have exactly one immediate or base structural object class. (e.g. 'inetOrgPerson') Cannot change its immediate structural object class
Attribute Type The set of attribute types of the entry MUST contain those listed in MUST lists of all of its object classes, including the implied inherited object classes. The set of attribute types of the entry MUST be contained by those listed in MUST or MAY lists of all of its object classes, including the implied inherited object classes.
Attribute Value If the attribute type is SINGLE-VALUED and the entry has more than one value, the entry is invalid. If the attribute value does not comply with the syntax of that attribute, the entry is invalid.
RDN RDN MUST made up with only attribute types that are valid for that entry. The values of attribute types used in the RDN appear in the entry.
It should be noted that RDN checking, theoretically, is not LDAP schema specs. The implementation of RDN enforcement is up to vendors. For example, IBM enforces RDN checking; SunOne and AD do not enforce it but RDN is automatically added as attribute while built up the entry into LDAP DIT
|
|
|
|
|
|
|
eLDAP member offline |
|
posts: |
107 |
joined: |
08/02/2006 |
from: |
Austin, TX |
|
|
|
|
|
Schema Checking: A valid example |
The following entry is a valid one.
dn: uid=Babs_Jensen,ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
cn: Babs Jensen
sn: Jensen
givenname: Barbara
mail: bjensen@example.com
|
|
|
|
|
|
|
eLDAP member offline |
|
posts: |
107 |
joined: |
08/02/2006 |
from: |
Austin, TX |
|
|
|
|
|
Schema Checking: An invalid entry example |
The following entry is a invalid one.
dn: uid=Babs_Jensen,ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
objectClass: strongAuthenticationUser
cn: Babs Jensen
sn: Jensen
userCertificate:: GXas3KaSd...
givenname: Barbara
mail: bjensen@example.com
A MUST attribute 'userCertificate' is missing, which is required in the auxiliary object class 'strongAuthenticationUser'
|
|
|
|
|
|
|
|