LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2

LDAP Informational Model LDAP represented by entries Entries belong to one or more object classes Object classes is defined by attributes Attributes consist of a type and one or more values Schema defines object classes and attributes

Attributes Types Building blocks of LDAP entries Attributes types are defined in schema Attributes Types are built with the following components: Name Object Indentifier (OID) Syntax Matching Rules Inheritence

Name Case in-sentitive Can contain only letters, numbers, dashes, and semi-colons Standard convention is single words are lower case, capitalize the first letter of multiple words (no spaces) LettersgivenName Numbersx509Certificate Dashtest-attribute Semicolonx509Certificate;binary

Object Indentifiers (OID) ASN.1 Number Allow the attribute type to be globally unique Allow for different attribute names Different languages

Syntax Definitions Tells the user or server how to handle the data LDAP defines a number of different syntaxes Example UID is defined as a string If an integer is placed in the UID value arithmetic operations cannot be preformed on that value The integer is treated as string not a number Similar to programming languages

Syntax Definitions Syntax have OIDs Defines the syntaxes across languages Reduces english dependences

Syntax Definitions Basic Directory String Printable unicode strings encoded in UTF-8 Binary Non-printable binary data Complex Certificate Complex, binary-encoded certificate Telephone Number String, non-numeric content is not searched

Syntax OIDs (RFC 2252) Attribute Type Description Y Audio N Binary N Bit String Y Boolean Y Certificate N Certificate List N Certificate Pair N Country String Y DN Y Data Quality Syntax Y Delivery Method Y Directory String Y IA5 String Y INTEGER Y JPEG N

Syntax Examples

Matching Rules Defines how the attribute should be searched Number of possible assertions are handled LDAP clients do not specify which rule they wish to use, the server decides based on matching rules defined for the attribute

Kinds of Matching Rules Equality Equality between attribute value and assertion value Greater than/Less than Ordering rules Substring If value is contained inside another value Subschema Value contained inside the schema

Matching Rules (RFC 2252) NAME 'distinguishedNameMatch' SYNTAX ) ( NAME 'caseIgnoreMatch' SYNTAX ) ( NAME 'numericStringMatch' SYNTAX ) ( NAME 'caseIgnoreListMatch' SYNTAX ) ( NAME 'integerMatch' SYNTAX )

Matching Rules ( NAME 'bitStringMatch' SYNTAX ) ( NAME 'telephoneNumberMatch' SYNTAX ) ( NAME 'presentationAddressMatch' SYNTAX ) ( NAME 'uniqueMemberMatch' SYNTAX ) ( NAME 'protocolInformationMatch' SYNTAX ) ( NAME 'generalizedTimeMatch' SYNTAX ) ( NAME 'caseExactIA5Match' SYNTAX ) ( NAME 'caseIgnoreIA5Match' SYNTAX )

Multiple Values Attributes can be defined to allow multiple values Values are NOT returned in any specific order

Inheritance Allows creation of abstract type and reduces redefinition of common types Example name attribute type Case insensitive string Case insensitive match commonName, givenName, surName These attributes have same features as name No need to redefine syntax and matching rules sup: name

Object Classes Object classes define the attributes of a particular entry Object class gives you information on the type of entry This allows the user to know the attribute the entry contains Every entry has at least one objectClass attribute

Object Class Example This entry belongs to three object classes A user can figure out what attributes are available for this entry dn: uid=dansinema,cn=users,dc=apple,dc=edu objectClass: organizationalPerson objectClass: person objectClass: top cn: Dan Sinema

Object Class Defined Name Object Identifier (OID) Inheritence Class Type Required Attribute Types Allowed Attribute Types

Object Class Name Case-insensitive Contains letter, numbers, dashes, semicolon Convention is only letters and numbers All lower case Multiple words first letter capitalized

Object Class OIDs Uniquely identify object class globally No real meaning other than to provide uniqueness

Object Class Inheritance Very similar to inheritance for attributes types ( NAME 'cartoon-character' SUP top STRUCTURAL DESC 'Cartoon character and all his/her attributes' MUST ( cn $ cartoon-catchPhrase $ cartoon-homeNetwork ) MAY ( cartoon-biography $ cartoon-tvShow $ cartoon-showTime $ cartoon-showDay $cartoon-tvSeasons ) )

Abstract Object Classes Never primary object class for any entry Used as a superclass One defined in LDAP “top” Every LDAP object class ultimately extends “top”

Structural Object Classes Every entry belongs to at least one structural object class Structural classes are the building blocks of LDAP ( NAME 'cartoon-character' SUP top STRUCTURAL DESC 'Cartoon character and all his/her attributes' MUST ( cn $ cartoon-catchPhrase $ cartoon-homeNetwork ) MAY ( cartoon-biography $ cartoon-tvShow $ cartoon-showTime $ cartoon-showDay $cartoon-tvSeasons ) )

Auxiliary Object Class Add secondary attributes to entries Must be added to entries which belong to at least one structural class Often used by organizations to customize objects for their environment