Oracle® Identity Management User Reference
10g Release 2 (10.1.2) B15883-01 |
|
Previous |
Next |
A directory schema specifies, among other rules, the types of objects that a directory may have and the mandatory and optional attributes of each object type. The Lightweight Directory Access Protocol (LDAP) version 3 defines a schema based on the X.500 standard for common objects found in a network, such as countries, localities, organizations, people, groups, and devices. In the LDAP v3, the schema is available from the directory. That is, it is represented as entries in the directory and its information as attributes of those entries.
An object class is an LDAP directory term that denotes the type of object being represented by a directory entry or record. There are also object classes that define an object's relationship to other objects, such as object class top
denotes that the object may have subordinate objects under it in a hierarchical tree structure. Some LDAP object classes may be combined to create an entry in the directory. For example, and entry for a user uses the top
, person
, organizationalPerson
, inetOrgPerson
, and orclUserV2
object classes.
Required and Allowed Attributes
The definition of an object class includes a list of required attributes (MUST) and allowed attributes (MAY). Required attributes include the attributes that must be present in entries using the object class. Allowed attributes include the attributes that may be present in entries using the object class.
The X.500 1993 specification requires that object classes be assigned to one of four categories:
Structural: Object classes that can have instances in the directory. Structural classes are used to create directory objects or entries.
Abstract: Template object classes that are used only to derive new structural classes. Abstract classes cannot be instantiated in the directory.
Auxiliary: A list of attributes that can be appended to the definition of a Structural or Abstract class. An Auxiliary class cannot be instantiated in the directory.
88 Classes: Assigning object classes to categories was not required in the X.500 1988 specification. Classes that were defined prior to the X.500 1993 standards, default to the 88 class. Do not define new 88 classes.
Inheritance, which is also referred to as derivation, is the ability to build new object classes from existing object classes. The new object is defined as a subclass of the parent object. A subclass is a class that inherits from some other class; for example, a subclass inherits structure and content rules from the parent. The parent object becomes a superclass of the new object. A superclass is a class from which one or more other classes inherit information.
Directory data is represented as attribute-value pairs. Any piece of information in the directory is associated with a descriptive attribute. For example, the cn
(commonName
) attribute is used to store a nickname. A person named William (Bill) Smith can be represented in the directory as:
cn: Bill Smith
An attribute syntax is the basic building block of an attribute. Every attribute is assigned a syntax that defines the attribute value's data format. For example, attribute syntaxes determine whether an attribute stores an integer, string, or binary data. The syntax also defines the matching rules that control the type of comparison operations you can perform on the attribute value.
Oracle Internet Directory recognizes attribute syntax as specified in RFC 2252, that is, it enables you to associate the attribute syntax described in that document with an attribute. Oracle Internet Directory enforces attribute syntax for the following types:
DN
OID (object identifier)
Telephone Number
The following table describes the attribute syntax most commonly used in Oracle Internet Directory:
Table 7-1 Attribute Syntax Commonly Used in Oracle Internet Directory
Syntax and Object ID | Description |
---|---|
ACI Item 1.3.6.1.4.1.1466.115.121.1.1 |
Values for this attribute are access control identifier items. |
Binary 1.3.6.1.4.1.1466.115.121.1.5 |
Values for this attribute are binary. |
Boolean 1.3.6.1.4.1.1466.115.121.1.7 |
The attribute can contain only one of two values: true (1) or false (0). |
Directory String 1.3.6.1.4.1.1466.115.121.1.15 |
Values for this attribute are strings which are not case-sensitive. |
DN 1.3.6.1.4.1.1466.115.121.1.12 |
Values for this attribute are DNs (distinguished names). |
Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 |
Values for this attribute are encoded as printable strings. A time zone must be specified (such as GMT). |
IA5String 1.3.6.1.4.1.1466.115.121.1.26 |
International Reference Alphabet Reference Alphabet No. 5 string. Values for this attribute are case-sensitive. |
Integer 1.3.6.1.4.1.1466.115.121.1.27 |
Valid values for this attribute are numbers. |
JPEG 1.3.6.1.4.1.1466.115.121.1.28 |
Valid values for this attribute are JPEG files. |
Name 1.3.6.1.4.1.1466.115.121.1.34 |
Valid values for this attribute are names or optional UIDs. |
OID 1.3.6.1.4.1.1466.115.121.1.38 |
A unique object identifier. |
Printable String 1.3.6.1.4.1.1466.115.121.1.44 |
A string that does NOT allow extended characters. Values for this attribute are not case-sensitive. |
Telephone Number 1.3.6.1.4.1.1466.115.121.1.50 |
Values for this attribute are in the form of telephone numbers. |
Matching rules are the rules for matching two attribute values that comply with the same attribute syntax. Oracle Internet Directory recognizes the following matching rule definitions in the schema.
Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:
Attribute syntax does not put any specific size constraint on attribute values. You can, however, specify the size of the attribute value when defining the attribute. Some attributes in Oracle Internet Directory may have size constraints defined, however length characteristics of an attribute are not enforced.
For example, to limit an attribute foo
to a size of 64, you would define the attribute as follows:
(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 'object_identifier_of_syntax{64}')
Single-Valued and Multi-Valued Attributes
By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For single-valued attributes, only one instance of the attribute can be specified in an entry. For example, the attribute orclObjectGUID
attribute can only have one possible value.
Attribute Usage defines how the attribute is used in the directory. The attribute usage types are:
userApplications - User applications attribute. This is the default attribute usage if not explicitly defined for the attribute.
directoryOperation - Directory operational attribute.
dSAOperation - DSA operational attribute.
Attributes that are designated as "not user modifiable" can only be modified by the directory server. They cannot be modified by any other user or process.
As an LDAP Version 3 directory, Oracle Internet Directory extends the standard LDAP operations by using controls. These are extra pieces of information carried along with existing operations, altering the behavior of the operation. When a client application passes a control along with the standard LDAP command, the behavior of the commanded operation is altered accordingly.
Table 7-2 Controls Supported by Oracle Internet Directory
The following table lists and describes the password policy controls:
Table 7-3 Password Policy Controls
The following table lists and describes the dynamic password verifier controls:
Table 7-4 Dynamic Password Verifier Controls
Object ID | Exception | Description |
---|---|---|
2.16.840.1.113894.1.8.14 |
OID_DYNAMIC_VERIFIER_REQUEST_CONTROL |
The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier. |
2.16.840.1.113894.1.8.15 |
OID_DYNAMIC_VERIFIER_RESPONSE_CONTROL |
The response control that the server sends to the client when an error occurs. The response control contains the error code. |