7.1 Overview of Directory Schema

A directory schema specifies, among other rules, the types of objects that a directory may have and the mandatory and optional attributes of each object type. The Lightweight Directory Access Protocol (LDAP) version 3 defines a schema based on the X.500 standard for common objects found in a network, such as countries, localities, organizations, people, groups, and devices. In the LDAP v3, the schema is available from the directory. That is, it is represented as entries in the directory and its information as attributes of those entries.

7.1.1 Object Classes

An object class is an LDAP directory term that denotes the type of object being represented by a directory entry or record. There are also object classes that define an object's relationship to other objects, such as object class top denotes that the object may have subordinate objects under it in a hierarchical tree structure. Some LDAP object classes may be combined to create an entry in the directory. For example, and entry for a user uses the top, person, organizationalPerson, inetOrgPerson, and orclUserV2 object classes.

Required and Allowed Attributes

The definition of an object class includes a list of required attributes (MUST) and allowed attributes (MAY). Required attributes include the attributes that must be present in entries using the object class. Allowed attributes include the attributes that may be present in entries using the object class.

Object Class Types

The X.500 1993 specification requires that object classes be assigned to one of four categories:

Structural: Object classes that can have instances in the directory. Structural classes are used to create directory objects or entries.
Abstract: Template object classes that are used only to derive new structural classes. Abstract classes cannot be instantiated in the directory.
Auxiliary: A list of attributes that can be appended to the definition of a Structural or Abstract class. An Auxiliary class cannot be instantiated in the directory.
88 Classes: Assigning object classes to categories was not required in the X.500 1988 specification. Classes that were defined prior to the X.500 1993 standards, default to the 88 class. Do not define new 88 classes.

Object Class I nheritance

Inheritance, which is also referred to as derivation, is the ability to build new object classes from existing object classes. The new object is defined as a subclass of the parent object. A subclass is a class that inherits from some other class; for example, a subclass inherits structure and content rules from the parent. The parent object becomes a superclass of the new object. A superclass is a class from which one or more other classes inherit information.

7.1.2 Attributes

Directory data is represented as attribute-value pairs. Any piece of information in the directory is associated with a descriptive attribute. For example, the cn (commonName) attribute is used to store a nickname. A person named William (Bill) Smith can be represented in the directory as:

cn: Bill Smith

A ttribute Syntax

An attribute syntax is the basic building block of an attribute. Every attribute is assigned a syntax that defines the attribute value's data format. For example, attribute syntaxes determine whether an attribute stores an integer, string, or binary data. The syntax also defines the matching rules that control the type of comparison operations you can perform on the attribute value.

Oracle Internet Directory recognizes attribute syntax as specified in RFC 2252, that is, it enables you to associate the attribute syntax described in that document with an attribute. Oracle Internet Directory enforces attribute syntax for the following types:

DN
OID (object identifier)
Telephone Number

The following table describes the attribute syntax most commonly used in Oracle Internet Directory:

Table 7-1 A ttribu te Syntax Commonly Used in Oracle Internet Directory

Syntax and Object ID	Description
ACI Item 1.3.6.1.4.1.1466.115.121.1.1	Values for this attribute are access control identifier items.
Binary 1.3.6.1.4.1.1466.115.121.1.5	Values for this attribute are binary.
Boolean 1.3.6.1.4.1.1466.115.121.1.7	The attribute can contain only one of two values: true (1) or false (0).
Directory String 1.3.6.1.4.1.1466.115.121.1.15	Values for this attribute are strings which are not case-sensitive.
DN 1.3.6.1.4.1.1466.115.121.1.12	Values for this attribute are DNs (distinguished names).
Generalized Time 1.3.6.1.4.1.1466.115.121.1.24	Values for this attribute are encoded as printable strings. A time zone must be specified (such as GMT).
IA5String 1.3.6.1.4.1.1466.115.121.1.26	International Reference Alphabet Reference Alphabet No. 5 string. Values for this attribute are case-sensitive.
Integer 1.3.6.1.4.1.1466.115.121.1.27	Valid values for this attribute are numbers.
JPEG 1.3.6.1.4.1.1466.115.121.1.28	Valid values for this attribute are JPEG files.
Name 1.3.6.1.4.1.1466.115.121.1.34	Valid values for this attribute are names or optional UIDs.
OID 1.3.6.1.4.1.1466.115.121.1.38	A unique object identifier.
Printable String 1.3.6.1.4.1.1466.115.121.1.44	A string that does NOT allow extended characters. Values for this attribute are not case-sensitive.
Telephone Number 1.3.6.1.4.1.1466.115.121.1.50	Values for this attribute are in the form of telephone numbers.

Matching Rules

Matching rules are the rules for matching two attribute values that comply with the same attribute syntax. Oracle Internet Directory recognizes the following matching rule definitions in the schema.

accessDirectiveMatch
IntegerMatch
bitStringMatch
numericStringMatch
caseExactMatch
objectIdentifierFirstComponentMatch
caseExactIA5Match
ObjectIdentifierMatch
caseIgnoreIA5Match
OctetStringMatch
caseIgnoreListMatch
presentationAddressMatch
caseIgnoreMatch
protocolInformationMatch
caseIgnoreOrderingMatch
telephoneNumberMatch
distinguishedNameMatch
uniqueMemberMatch
generalizedTimeMatch
generalizedTimeOrderingMatch
orclpkimatchingrule

Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:

distinguishedNameMatch
caseExactMatch
caseIgnoreMatch
numericStringMatch
IntegerMatch
telephoneNumberMatch
orclpkimatchingrule

Sizing of Attribute Values

Attribute syntax does not put any specific size constraint on attribute values. You can, however, specify the size of the attribute value when defining the attribute. Some attributes in Oracle Internet Directory may have size constraints defined, however length characteristics of an attribute are not enforced.

For example, to limit an attribute foo to a size of 64, you would define the attribute as follows:

(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 'object_identifier_of_syntax{64}')

Single-Valued and Multi-Valued A ttributes

By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For single-valued attributes, only one instance of the attribute can be specified in an entry. For example, the attribute orclObjectGUID attribute can only have one possible value.

Attribute Usage

Attribute Usage defines how the attribute is used in the directory. The attribute usage types are:

userApplications - User applications attribute. This is the default attribute usage if not explicitly defined for the attribute.
directoryOperation - Directory operational attribute.
dSAOperation - DSA operational attribute.

Not User Modifiable

Attributes that are designated as "not user modifiable" can only be modified by the directory server. They cannot be modified by any other user or process.

7.1.3 LDAP Controls

As an LDAP Version 3 directory, Oracle Internet Directory extends the standard LDAP operations by using controls. These are extra pieces of information carried along with existing operations, altering the behavior of the operation. When a client application passes a control along with the standard LDAP command, the behavior of the commanded operation is altered accordingly.

Table 7-2 Controls Supported by Oracle Internet Directory

Object Identifier of Control	Description
2.16.840.1.113894.1.8.3	Specifies the attribute used to build an implicit hierarchy. For example, (`manager=cn=john doe,o=foo`) specifies the query for all people reporting directly or indirectly to John Doe. The implicit hierarchy is based on the manager attribute. The base of the search is ignored for such queries.
2.16.840.1.113894.1.8.4	Intended for a client to send the end user IP address if IP lockout is to be enforced by Oracle Internet Directory.
2.16.840.1.113894.1.8.5	Used with dynamic groups. Directs the directory server to read the specific attributes of the members rather than the membership lists.
2.16.840.1.113894.1.8.6	Password policy control. Request control that the client sends to get a response from the server.
2.16.840.1.113894.1.8.7	Password policy control. Response control that the server sends when the `pwdExpireWarning` attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration.
2.16.840.1.113894.1.8.8	Password policy control. The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins.
2.16.840.1.113894.1.8.9	Password policy control. The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control.
2.16.840.1.113894.1.8.23	Certificate search control. The request control that the client sends to specify how to search for a user certificate.

7.1.3.1 Control s for Password Policy

The following table lists and describes the password policy controls:

Table 7-3 Password Policy Controls

Object ID	Exception	Description
2.16.840.1.113894.1.8.6	OID_PASSWORD_REQUEST_CONTROL	The request control that the client sends to get a response from the server.
2.16.840.1.113894.1.8.7	OID_PASSWORD_EXPWARNING_CONTROL	The response control that the server sends when the pwdExpireWarning attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration.
2.16.840.1.113894.1.8.8	OID_PASSWORD_GRACELOGIN_CONTROL	The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins.
2.16.840.1.113894.1.8.9	OID_PASSWORD_MUSTCHANGE_CONTROL	The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control.

7.1.3.2 Controls for Dynamic Password Verifiers

The following table lists and describes the dynamic password verifier controls:

Table 7-4 Dynamic Password Verifier Controls

Object ID	Exception	Description
2.16.840.1.113894.1.8.14	OID_DYNAMIC_VERIFIER_REQUEST_CONTROL	The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier.
2.16.840.1.113894.1.8.15	OID_DYNAMIC_VERIFIER_RESPONSE_CONTROL	The response control that the server sends to the client when an error occurs. The response control contains the error code.