]]>Ldap 寰堝ソ鐨勫涔犵綉绔?/title><link>http://www.tkk7.com/liuzheng/articles/267317.html</link><dc:creator>鍒橀摦 </dc:creator><author>鍒橀摦 </author><pubDate>Fri, 24 Apr 2009 03:08:00 GMT</pubDate><guid>http://www.tkk7.com/liuzheng/articles/267317.html</guid><wfw:comment>http://www.tkk7.com/liuzheng/comments/267317.html</wfw:comment><comments>http://www.tkk7.com/liuzheng/articles/267317.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.tkk7.com/liuzheng/comments/commentRss/267317.html</wfw:commentRss><trackback:ping>http://www.tkk7.com/liuzheng/services/trackbacks/267317.html</trackback:ping><description><![CDATA[http://www.zytrax.com/books/ldap/
<img src ="http://www.tkk7.com/liuzheng/aggbug/267317.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.tkk7.com/liuzheng/" target="_blank">鍒橀摦 </a> 2009-04-24 11:08 <a href="http://www.tkk7.com/liuzheng/articles/267317.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>Ldap schema 鑷畾涔?/title><link>http://www.tkk7.com/liuzheng/articles/267316.html</link><dc:creator>鍒橀摦 </dc:creator><author>鍒橀摦 </author><pubDate>Fri, 24 Apr 2009 03:07:00 GMT</pubDate><guid>http://www.tkk7.com/liuzheng/articles/267316.html</guid><wfw:comment>http://www.tkk7.com/liuzheng/comments/267316.html</wfw:comment><comments>http://www.tkk7.com/liuzheng/articles/267316.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.tkk7.com/liuzheng/comments/commentRss/267316.html</wfw:commentRss><trackback:ping>http://www.tkk7.com/liuzheng/services/trackbacks/267316.html</trackback:ping><description><![CDATA[<p>An <strong>LDAP schema</strong> is nothing more than a convenient packaging unit for containing broadly similar <a title="" class="t-db">objectClasses</a> and <a title="" class="t-db">attributes</a>.</p>
<p>There may have been a time when a single schema was designed to hold
everything required for an LDAP implementation (like a relational
database schema) but that is no longer true. You will find useful
attributes and objectclases scattered all over the place - the power of
LDAP arguably comes from the ease of creating and using this apparent
anarchy.</p>
<p>The rule is: Every attribute or objectclass (including its superior
objectclass or attribute) used in an LDAP implementation must be
defined in a <strong>schema</strong> and that schema must be <strong>known</strong> to the LDAP server. In OpenLDAP the schemas are made known using the <a class="t-db">include</a> statement in the <a title="" class="t-db">slapd.conf</a> configuration file).</p>
<p>The following diagram illustrates the use of schemas as packaging units:</p>
<p align="center"><img title="" src="http://www.zytrax.com/books/ldap/images/ldap-schemas-packaging.gif" alt="LDAP - Schema, objectClasses and Attributes" border="0" />
</p>
<p><a ><img src="http://www.zytrax.com/images/go_up.gif" alt="Up Arrow" border="0" /></a></p>
<h2>3.3 LDAP objectClasses</h2>
<p>An <strong>objectClass</strong> is a collection of attributes (or an attribute container) and has the following characteristics:</p>
<ol>
<li>
<p>An <strong>objectclass</strong> is defined within a <strong>Schema</strong></p>
</li>
<li>
<p>An <strong>objectclass</strong> may be a part of an objectclass hierarchy in which case it inherits all the properties of its parents, for example, <a title="" class="t-db">inetOrgPerson</a> is the child of <a title="" class="t-db">organizationalPerson</a> which is the child of <a title="" class="t-db">person</a> which is the child of <strong>top</strong> (the ABSTRACT objectClass which terminates every objectClass hirearchy).</p>
</li>
<li>
<p>An <strong>objectclass</strong> has a globally unique name or identifier</p>
</li>
<li>
<p>An <strong>objectclass</strong>, as well as being an attribute container, is also an attribute and may be searched on</p>
</li>
<li>
<p>An <strong>objectclass</strong> defines its member attributes and whether these MUST (mandatory) be present or MAY (optional) be present in an entry.</p>
</li>
<li>
<p>One or more <strong>objectclass(es)</strong> must be present in an LDAP <a class="t-db">entry</a>.</p>
</li>
<li>
<p>Each <strong>objectclass</strong> supported by a LDAP server forms part of a <strong>collection</strong> called <strong>objectclasses</strong> which can be discovered via the <a title="" class="t-db"><strong>subschema</strong></a>.</p>
</li>
</ol>
<h3>Defining an objectClass</h3>
<p>The formal objectclass definition is defined in <a class="t-db">RFC 2252 section 4.4</a> and looks like this:</p>
<pre>ObjectClassDescription = "(" whsp<br />
numericoid whsp ; ObjectClass identifier<br />
[ "NAME" qdescrs ]<br />
[ "DESC" qdstring ]<br />
[ "OBSOLETE" whsp ]<br />
[ "SUP" oids ] ; Superior ObjectClasses<br />
[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]<br />
; default structural<br />
[ "MUST" oids ] ; AttributeTypes<br />
[ "MAY" oids ] ; AttributeTypes<br />
whsp ")"<br />
</pre>
<p>Ooof! <strong>whsp</strong> means a space character and when they say it
should be there believe them. Rather than try and explain all these
entries lets start with some examples.</p>
<p>An <strong>objectClass</strong> is defined using <a title="" class="t-db">ASN.1</a> notation - the following is a simple standard objectclass definition for <a title="" class="t-db">country</a> taken from the <a title="" class="t-db">core.schema</a> supplied with OpenLDAP distributions.</p>
<pre>objectclass ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL<br />
MUST c<br />
MAY ( searchGuide $ description ) )<br />
</pre>
<p>Now lets deconstruct this definition:</p>
<p><strong>objectclass</strong> is a keyword indicating this is an objectclass definition - see it's not so complicated!</p>
<p><strong>2.5.6.2 NAME 'country'</strong> defines a <strong>globally unique</strong> name for this objectclass and is comprised of two parts: <strong>NAME 'country'</strong> just allows you to refer to this objectclass by some semi-understandable text - in this case the english word <strong>country</strong>. The <strong>globally unique</strong> part is defined by <strong>2.5.6.2</strong> which is called an <a title="" class="t-db">OID (ObjectIdentifier)</a>.
The OID 2.5.6.2 was probably the third objectclass ever defined by
X.500 (2.5.6 is the joint itu-iso x.500 object classes, the last 2 is a
sequence number within that family of OIDs). It does not matter what
organization assigns this number but it must be UNIQUE. Obtaining an
enterprise OID that allows you to define your own <strong>attributes</strong> and <strong>objectclasses</strong> is a trivial and zero cost process via <a class="t-db">IANA</a>. It is a VERY BAD THING™ to re-use existing OIDs.</p>
<p><strong>SUP 'top'</strong> indicates that this objectclass has a PARENT (or
SUPerior) objectclass - it is part of a hierarchy. In this case the
parent is <strong>top</strong> which is a special class that terminates (is the
highest level) in all objectclasses. An objectclass may have one or
more objectclass(es) as Parents.</p>
<p><strong>STRUCTURAL</strong> indicates that this objectclass contains data and can form an <a class="t-db">entry</a> in a DIT. <strong>objectClasses</strong> may also be ABSTRACT which indicates a non-existent objectclass used for convenience. The most common ABSTRACT objectclass is <strong>top</strong> which just terminates an objectclass hierarchy. Finally an <strong>objectClass</strong>
may be AUXILIARY which indicates it may be used with any STRUCTURAL
objectclass to form an entry but cannot alone form an entry in a DIT.</p>
<p><strong>DESC 'description'</strong> OK so we picked a lousy example which does
not have a DESC part - but it was short. DESC is an optional value that
provides a short text description of the use or contents of the
objectclass. It's meant for human beings to read and has no other use.
Here is what <strong>country</strong> <u>could</u> have looked like with a DESC statement included:</p>
<pre>objectclass ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL<br />
DESC '2 character iso assigned country code'<br />
MUST c<br />
MAY ( searchGuide $ description ) )<br />
</pre>
<p><strong>MUST c</strong> MUST indicates that the attributes in the following list are mandatory in this case the attribute <strong>c</strong>
has to be present or the entry will fail to load. Single values are
written as shown, multiple attributes are enclosed in parentheses and
separated with a $ (dollar) sign, such as ( attr1 $ attr2 $ attrn). If
there are no mandatory attributes this section is not included.</p>
<p><strong>MAY ( searchGuide $ description )</strong> MAY indicates that the
attributes in the following list are optional. Multiple values are
written as shown, single attributes do not need the parentheses (see
above). If there are no optional attributes this section is not
included.</p>
<h3>Some more objectClasses</h3>
<p>This is how the <strong>top</strong> objectclass is defined:</p>
<pre>objectclass ( 2.5.6.0 NAME 'top' ABSTRACT<br />
MUST objectClass )<br />
</pre>
<p>Illustrates the use of the ABSTRACT statement in an objectclass. Since <strong>top</strong> is always the top of a hierarchy - clearly it cannot have a <strong>SUP</strong> statement. The OID is also assigned by the X.500 standards group.</p>
<p>Many documents insist that the objectclass <strong>top</strong> is included in <a class="t-db">LDIF</a> files - <a class="t-db">it is not always necessary</a>.</p>
<p>This is how the <strong>dcObject</strong> objectclass is defined:</p>
<pre>objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'<br />
DESC 'RFC2247: domain component object'<br />
SUP top AUXILIARY MUST dc )<br />
</pre>
<p>Illustrates the use of the AUXILLIARY statement. An AUXILLIARY
cannot on its own create an entry. The OID in this example shows the
use of a <a title="" class="t-db">private enterprise OID (ObjectIdentifier)</a>. The following fragment shows a fairly typical base DN definition using <strong>dcObject</strong>:</p>
<pre>dn: dc=example,dc=com<br />
dc: example.com<br />
objectclass: dcObject<br />
objectclass: organization<br />
o: Example, Inc.<br />
</pre>
<p>It is the <strong>objectclass: organization</strong> that creates the entry. <strong>dcObject</strong> piggy-backs on this objectclass.</p>
<p>This is how the <strong>pilotOrganization</strong> objectclass is defined and
illustrates that there may be one or more SUPerior (Parent)
objectclasses in which the child inherits the properties of ALL its
parents (bit like humans really):</p>
<pre>objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization'<br />
SUP ( organization $ organizationalUnit ) STRUCTURAL<br />
MAY buildingName )<br />
</pre>
<p>We have omitted explaining a couple of values (well one actually) -
OBSOLETE if it is present it means the objectclass should not be used
(duh).</p>
<h2>LDAP Attributes</h2>
<p>Attributes typically contain data and have the following characteristics:</p>
<ol>
<li>
<p>Every <strong>attribute</strong> is included in one or more <strong>objectclass</strong>.</p>
</li>
<li>
<p>An <strong>objectclass</strong> is also an <strong>attribute</strong> and can be used in searches.</p>
</li>
<li>
<p>To use an <strong>attribute</strong> in an <a title="" class="t-db">entry</a> its <strong>objectclass</strong> must be included in the entry definition and its <strong>objectclass</strong> must be included in a <strong>schema</strong> which must be identified to the LDAP server.</p>
</li>
<li>
<p>An <strong>attribute</strong>'s characteristics are defined using <a title="" class="t-db">ASN.1</a> notation.</p>
</li>
<li>
<p>An <strong>attribute</strong> can appear once in any instance of its containing <strong>ObjectClass</strong> (SINGLE-VALUE) or can apear more than once in any instance of its containing <strong>ObjectClass</strong> (MULTI-VALUE). MULTI-VALUE is default.</p>
</li>
<li>
<p>An <strong>attribute</strong> definition may be part of a hierarchy in
which case it inherits all the properties of its parents, for example,
commonName (cn), givenName (gn), surname (sn) are all children of the <strong>name</strong> attribute.</p>
</li>
<li>
<p>An <strong>attribute</strong> definition includes its type, for instance
string, number etc., how it behaves in certain conditions, for example
are compares case sensitive or case-insensitive and other
characteristics (properties).</p>
</li>
<li>
<p>An <strong>attribute</strong> supported by a LDAP server forms part of a <strong>collection</strong> called <strong>attributetypes</strong> which can be interrogated via the <a title="" class="t-db">subschema</a>.</p>
</li>
</ol>
<h3>Defining an Attribute</h3>
<p>The formal attribute definition is defined in <a class="t-db">RFC 2252 section 4.2</a> and looks like this:</p>
<pre>AttributeTypeDescription = "(" whsp<br />
numericoid whsp ; AttributeType identifier<br />
[ "NAME" qdescrs ] ; name used in AttributeType<br />
[ "DESC" qdstring ] ; description<br />
[ "OBSOLETE" whsp ]<br />
[ "SUP" woid ] ; derived from this other<br />
; AttributeType<br />
[ "EQUALITY" woid ; Matching Rule name<br />
[ "ORDERING" woid ; Matching Rule name<br />
[ "SUBSTR" woid ] ; Matching Rule name<br />
[ "SYNTAX" whsp noidlen whsp ] ; Syntax OID<br />
[ "SINGLE-VALUE" whsp ] ; default multi-valued<br />
[ "COLLECTIVE" whsp ] ; default not collective<br />
[ "NO-USER-MODIFICATION" whsp ]; default user modifiable<br />
[ "USAGE" whsp AttributeUsage ]; default userApplications<br />
whsp ")"<br />
</pre>
<p>Ouch! <strong>whsp</strong> means a space character and must be present. Rather than explain each bit of gobbledegook lets again start with some examples.</p>
<p>An <strong>attribute</strong> is defined using <a title="" class="t-db">ASN.1</a> notation - the following is a simple standard attribute definition for <a title="" class="t-db">commonName (cn)</a> taken from the <a title="" class="t-db">core.schema</a> supplied with OpenLDAP distributions.</p>
<pre>attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name )<br />
</pre>
<p>Now lets deconstruct this definition:</p>
<p><strong>attributetype</strong> indicates this defines an attribute - wow.</p>
<p><strong>2.5.4.3 NAME ('cn' 'commonName')</strong> defines a <strong>globally unique</strong> name for this attribute and is comprised of two parts: <strong>NAME ('cn' 'commonName'</strong> just allows you to refer to this attribute by some semi-understandable text - in this case either the english word <strong>commonName</strong> OR the shortform (or alias) <strong>cn</strong>
in principle there are no limits to the number of definitions or
aliases you can have as long as they are unique. In this multiple entry
form the names are enclosed in parentheses and space separated. Since <strong>cn</strong> appears first it is called the <a class="t-db">primary</a> name which is very important when it comes to <a class="t-db">indexing</a> entries.</p>
<p>The <strong>globally unique</strong> part is defined by <strong>2.5.4.3</strong> which is called an <a title="" class="t-db">OID (ObjectIdentifier)</a>.
The OID 2.5.4.3 was possibly the fourth attribute ever defined by X.500
(2.5.4 is the joint itu-iso x.500 attribute types, the last 3 is a
sequence number within that family of OIDs). It does not matter what
organization assigns this number but it must be UNIQUE. Obtaining an
enterprise OID that allows you to define your own <strong>attributes</strong> and <strong>objectclasses</strong> is a trivial process via <a class="t-db">IANA</a>. It is a VERY BAD THING™ to re-use existing OIDs.</p>
<p><strong>SUP 'name'</strong> indicates that this attribute has a PARENT (or SUPerior) attribute - it is part of a hierarchy. In this case the parent is <strong>name</strong>
which we will now look at in detail since, if you recall, the child
always inherits the properties of the parent (or SUPerior) attribute
(and itself may have additional properties). The SUP entry can use
either a 'name' or an OID. The definition SUP 'top' and SUP 2.5.4.41
mean exactly the same - except to the poor reader!</p>
<p>This is the attribute definition of <a title="" class="t-db">name</a> which is a much more serious definition and the SUPerior (parent) attribute of <strong>cn</strong> above:</p>
<pre>attributetype ( 2.5.4.41 NAME 'name'<br />
EQUALITY caseIgnoreMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )<br />
</pre>
<p>Now for some more serious deconstruction:</p>
<p><strong>attributetype</strong> indicates this defines an attribute - same as before.</p>
<p><strong>2.5.4.41 NAME 'name'</strong> defines the <strong>globally unique</strong> name for this attribute and as before is comprised of two parts: <strong>NAME 'name'</strong> just allows reference to this attribute by some semi-understandable text and the OID <strong>2.5.4.41</strong>
indicates it was defined by the X.500 standards group. The format used,
because there is only a single name value, does not need enclosing
parentheses as in the <strong>commonName</strong> example above.</p>
<p><strong>EQUALITY caseIgnoreMatch</strong> indicates how this (and any child attributes) will behave when used in a <a class="t-db">search filter</a> e.g. <strong>(cn=jimbob)</strong> (<strong>cn</strong> is a child of <strong>name</strong>) and no <strong>wildcards</strong> exist in the search. In this case it defines the match to be case-insensitive. <strong>caseIgnoreMatch</strong> is a <a class="t-db">matchingRule</a> and is defined in the <a class="t-db">subschema</a>.</p>
<p><strong>SUBSTR caseIgnoreSubstringsMatch</strong> indicates how this (and any child attributes) will behave when used in a <a class="t-db">search filter</a> which uses a substring e.g. <strong>(cn=jim*)</strong> (<strong>cn</strong> is a child of <strong>name</strong>) and contains one or more <strong>wildcards</strong>. In this case it defines that the match is case-insensitive. <strong>caseIgnoreSubstringMatch</strong> is again a <a class="t-db">matchingRule</a> and is defined in the <a class="t-db">subschema</a>.</p>
<p><strong>SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}</strong> is an <a class="t-db">OID</a> which defines the data type and what rules (data validation) are applied to the data. The full list is in <a class="t-db">RFC 2252 section 4.3.2</a> and in this case the OID defines it to be a Directory String type which is defined in <a class="t-db">RFC 2252 section 6.10</a> to be in the UTF-8 form of the ISO 10646 character set. The value <strong>{32768}</strong> indicates the maximum length of the string and is optional. <a class="t-db">Some more on LDAP Data Types</a></p>
<h2>Other Characteristics</h2>
<p><strong>SINGLE-VALUE</strong> <u>Omission</u> of this entry means that it is multi-valued i.e. it can appear more than once in an <strong>objectclass</strong> or an entry. If the attribute can only accept single values it must be explicitly defined as in the definition of <strong>dc</strong> below.</p>
<pre>attributetype ( 0.9.2342.19200300.100.1.25<br />
NAME ( 'dc' 'domainComponent' )<br />
DESC 'RFC1274/2247: domain component'<br />
EQUALITY caseIgnoreIA5Match<br />
SUBSTR caseIgnoreIA5SubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 <br />
SINGLE-VALUE )<br />
</pre>
<p><strong>ORDERING 'matchingrule'</strong> is rarely defined and is used to
define the collation match - the lexicographic sorting order (allowing
searches of <= and >=).</p>
<pre>attributetype ( 2.5.4.46 NAME 'dnQualifier'<br />
EQUALITY caseIgnoreMatch<br />
ORDERING caseIgnoreOrderingMatch<br />
SUBSTR caseIgnoreSubstringsMatch<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )<br />
</pre>
<p><a ><img src="http://www.zytrax.com/images/go_up.gif" alt="Up Arrow" border="0" /></a></p>
<h2>3.5 Matching Rules</h2>
<p>Matching rules are part of what is called the <a title="" class="t-db">operational</a> characteristics of the LDAP server.</p>
<div>
<p><strong>matchingrules</strong> define the methods of comparison available in the LDAP server:</p>
<ol>
<li><strong>matchingrules</strong> are typically built-in to the LDAP server and do not need to be defined explicitly.</li>
<li>A <strong>matchingrule</strong> forms part of a <strong>collection</strong> called <strong>matchingrules</strong> which can be discovered via the <a title="" class="t-db">subschema</a>.</li>
<li>A <strong>matchingrule</strong> is defined for each <strong>attribute</strong> using the <a title="" class="t-db">EQUALITY, SUBSTR, ORDERING</a> properties as required - only those properties required are defined. If the search cannot use a <strong>wildcard</strong> there will be no SUBSTR property defined.</li>
</ol>
<h3>3.5.1 Defining matchingRule</h3>
<p>Most <strong>matchingrules</strong> are built-in and you almost never need to
define them but like everything in LDAP it has a defining syntax. The
following is an example of a matchingrule definition using <strong>caseIgnoreMatch</strong>:</p>
<pre>matchingRule ( 2.5.13.2 NAME 'caseIgnoreMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br />
</pre>
<p>The deconstruction shows the following:</p>
<p><strong>matchingrule</strong> indicates this is a matchingrule definition.</p>
<p><strong> 2.5.13.2 NAME 'caseIgnoreMatch'</strong> defines the <strong>globally unique</strong> name for this matching rule and as always is comprised of two parts: <strong>NAME 'caseIgnoreMatch'</strong> allows reference to this matchingrule using some semi-understandable text and the OID <strong>2.5.13.2</strong> indicates the matching rule was defined by the X.500 standards group. Rule description:</p>
<div>
<p>"The Case Ignore Match rule compares for equality a presented string
with an attibute value of type PrintableString, NumericString,
TeletexString, BMPString, UniversalString or DirectoryString without
regard for case (upper or lower) of the strings (e.g., "Dundee" and
"DUNDEE" match).</p>
<p>The rule returns TRUE if the strings are the same length and
corresponding characters are identical except possibly with regard to
case. </p>
</div>
<p><strong>SYNTAX 1.3.6.1.4.1.1466.115.121.1.15</strong> defines that this matchingrule operates on the type(s) defined - in this case a DirectoryString (a UTF-8 format string).</p>
<h3>OpenLDAP built-in matchingRules</h3>
<p>This list below can be found for OpenLDAP by interrogating the <strong>subschema</strong> using a command like:</p>
<pre>ldapsearch -H ldap://ldap.example.com -x -s base -b "cn=subschema"<br />
"(objectclass=*)" matchingrules<br />
# matchingrules may be changed to <br />
# attributetypes objectclasses etc., etc.<br />
</pre>
<p>The above command should be on a single line - it is split for HTML
formatting reasons only. Replace ldap.example.com with the host name of
your LDAP server. If the server is running locally you can omit the -H
argument.</p>
<p>Alternatively use any good LDAP browser with a Root DN of "cn=subschema"</p>
<p>The above command will return this list (OpenLDAP 2.1.12 on FreeBSD):</p>
<pre># Subschema<br />
dn: cn=Subschema<br />
matchingRules: ( 2.5.13.0 NAME 'objectIdentifierMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )<br />
matchingRules: ( 2.5.13.1 NAME 'distinguishedNameMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )<br />
matchingRules: ( 2.5.13.2 NAME 'caseIgnoreMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br />
matchingRules: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br />
matchingRules: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )<br />
matchingRules: ( 2.5.13.5 NAME 'caseExactMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br />
matchingRules: ( 2.5.13.6 NAME 'caseExactOrderingMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<br />
matchingRules: ( 2.5.13.7 NAME 'caseExactSubstringsMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )<br />
matchingRules: ( 2.5.13.8 NAME 'numericStringMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )<br />
matchingRules: ( 2.5.13.10 NAME 'numericStringSubstringsMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )<br />
matchingRules: ( 2.5.13.13 NAME 'booleanMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )<br />
matchingRules: ( 2.5.13.14 NAME 'integerMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )<br />
matchingRules: ( 2.5.13.15 NAME 'integerOrderingMatch' <br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )<br />
matchingRules: ( 2.5.13.16 NAME 'bitStringMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )<br />
matchingRules: ( 2.5.13.17 NAME 'octetStringMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )<br />
matchingRules: ( 2.5.13.18 NAME 'octetStringOrderingMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )<br />
matchingRules: ( 2.5.13.20 NAME 'telephoneNumberMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )<br />
matchingRules: ( 2.5.13.21 NAME 'telephoneNumberSubstringsMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )<br />
matchingRules: ( 2.5.13.23 NAME 'uniqueMemberMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )<br />
matchingRules: ( 2.5.13.27 NAME 'generalizedTimeMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )<br />
matchingRules: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )<br />
matchingRules: ( 2.5.13.29 NAME 'integerFirstComponentMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )<br />
matchingRules: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )<br />
matchingRules: ( 2.5.13.34 NAME 'certificateExactMatch'<br />
SYNTAX 1.2.826.0.1.3344810.7.1 )<br />
matchingRules: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<br />
matchingRules: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<br />
matchingRules: ( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<br />
matchingRules: ( 1.3.6.1.4.1.4203.1.2.1 NAME 'caseExactIA5SubstringsMatch' <br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<br />
matchingRules: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )<br />
matchingRules: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch'<br />
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )<br />
</pre>
<p>You can find what the <strong>OIDs</strong> are and therefore the exact english description of the matchingRule using this <a title="" class="t-db">wonderful site</a>.</p>
<p><a ><img src="http://www.zytrax.com/images/go_up.gif" alt="Up Arrow" border="0" /></a></p>
<h2>3.6 LDAP Operational Attributes and Objects</h2>
<p>There are a bunch of attributes and objectclasses that are built
into the LDAP server and govern how it works or functions. These
attributes and object classes are typically called <strong>operational</strong>.</p>
<p>These <strong>operational thingies</strong> all live under the <a class="t-db">rootDSE</a> and are not visible in normal operations.</p>
<p>The relationship between the DIT(s) and its entries and the RootDSE and its objects is shown below:</p>
<p align="center"><img title="" src="http://www.zytrax.com/books/ldap/images/ldap-rootdse.gif" alt="" border="0" /></p>
<p>The rootDSE can be inspected using either a suitable LDAP browser (instructions for <a class="t-db">LDAPBrowser/Editor</a>) with an empty Root DN or the following command:</p>
<pre>ldapsearch -H ldap://ldap.mydomain.com -x -s base -b "" +<br />
# note the + returns operational attributes<br />
</pre>
<p>This should return something similar to that shown below (from
OpenLDAP 2.4.8) - the values in parentheses are added explanations and
are not returned by the server:</p>
<pre>dn:<br />
structuralObjectClass: OpenLDAProotDSE<br />
configContext: cn=config<br />
namingContexts: dc=example,dc=com<br />
namingContexts: dc=example,dc=net<br />
monitorContext: cn=Monitor<br />
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 (Contentsync <a class="t-db">RFC 4530</a>)<br />
supportedControl: 2.16.840.1.113730.3.4.18 (ProxiedAuthv2 <a class="t-db">RFC 4370</a>)<br />
supportedControl: 2.16.840.1.113730.3.4.2 (ManageDSAIT <a class="t-db">RFC3377</a>)<br />
supportedControl: 1.3.6.1.4.1.4203.1.10.1 (SubEntries <a class="t-db">RFC3673</a>)<br />
supportedControl: 1.2.840.113556.1.4.319 (pagedResults <a class="t-db">RFC2696</a>)<br />
supportedControl: 1.2.826.0.1.3344810.2.3 (MatchedValues <a class="t-db">RFC3876</a>)<br />
supportedControl: 1.3.6.1.1.13.2 (Post Read <a class="t-db">RFC4527</a>)<br />
supportedControl: 1.3.6.1.1.13.1 (Pre-Read <a class="t-db">RFC4527</a>))<br />
supportedControl: 1.3.6.1.1.12 (Assertion <a class="t-db">RFC4528</a>)<br />
supportedExtension: 1.3.6.1.4.1.4203.1.11.1 (ModifyPassword <a class="t-db">RFC3088</a>)<br />
supportedExtension: 1.3.6.1.4.1.4203.1.11.3 (WhoAmI <a class="t-db">RFC4532</a>)<br />
supportedExtension: 1.3.6.1.1.8 (Cancel <a class="t-db">RFC3909</a>)<br />
supportedFeatures: 1.3.6.1.1.14 (Modify-Increment <a class="t-db">RFC4525</a>)<br />
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 (OperationalAttrs <a class="t-db">RFC3674</a>)<br />
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 (ObjectClassAttrs <a class="t-db">RFC4529</a>)<br />
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 (TrueFalse <a class="t-db">RFC4526</a>)<br />
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 (LanguageTag <a class="t-db">RFC3866</a>)<br />
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 (LanguageRange <a class="t-db">RFC3866</a>)<br />
supportedLDAPVersion: 3<br />
supportedSASLMechanisms: NTLM<br />
supportedSASLMechanisms: GSSAPI<br />
supportedSASLMechanisms: DIGEST-MD5<br />
supportedSASLMechanisms: CRAM-MD5<br />
entryDN:<br />
subschemaSubentry: cn=Subschema<br />
</pre>
<p>An explanation of each <strong>supportedExtension</strong> can be found using this <a title="" class="t-db">wonderful site</a>. The above listing shows this LDAP server supports two <a title="" class="t-db">DITs</a> - shown as <strong>namingContexts</strong> - <a title="" class="t-db">which were configured using this process</a>.</p>
<p>It is possible to add extensions using the OpenLDAP slapd.conf <a title="" class="t-db">rootDSE</a> directive.</p>
<p><br />
</p>
<p>鍙傝URL錛?/p>
<p>http://www.zytrax.com/books/ldap/ch3/</p>
</div>
<img src ="http://www.tkk7.com/liuzheng/aggbug/267316.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.tkk7.com/liuzheng/" target="_blank">鍒橀摦 </a> 2009-04-24 11:07 <a href="http://www.tkk7.com/liuzheng/articles/267316.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>Ldap ldap-schemahttp://www.tkk7.com/liuzheng/articles/267314.html鍒橀摦 鍒橀摦 Fri, 24 Apr 2009 03:00:00 GMThttp://www.tkk7.com/liuzheng/articles/267314.htmlhttp://www.tkk7.com/liuzheng/comments/267314.htmlhttp://www.tkk7.com/liuzheng/articles/267314.html#Feedback0http://www.tkk7.com/liuzheng/comments/commentRss/267314.htmlhttp://www.tkk7.com/liuzheng/services/trackbacks/267314.html
http://www.it.ufl.edu/projects/directory/ldap-schema/
