ldapschema.1 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapschema(1) ldapschema(1)

NAME

ldapschema - determines the status of an LDAP schema on the LDAP directory server and extends the

LDAP directory server schema with new attribute types and object classes.

SYNOPSIS

ldapschema -q schema -T ds_type -V

ds_version [options ]

ldapschema -e schema -T ds_type -V

ds_version [options ]

DESCRIPTION

The

ldapschema utility allows schema developers to deﬁne LDAP schemas using a universal XML syn-

tax, greatly simplifying the ability to support different directory server variations. It can be used to query

the current status of the LDAP schema on the LDAP directory server, as well as extend the LDAP direc-

tory server schema with new attribute types and object classes. The

ldapschema utility was designed

to support directory servers from several vendors and is currently supported with HP-UX Directory

Server, Red Hat Directory Server and Microsoft Windows Active Directory Server.

ldapschema supports two modes of operation:

1. Query mode determines the current status of the LDAP schema on the LDAP directory server.

ldapschema checks if any attribute types and object classes of the LDAP schema are already

installed on the LDAP server. Also, it determines if deﬁnitions installed on the LDAP server match

deﬁnitions speciﬁed in the schema deﬁnition ﬁle being queried.

2. Extend mode adds deﬁnitions of attribute types and object classes that are not yet installed on the

LDAP server to that LDAP server’s schema. Only new valid attribute types and object classes can be

added to the LDAP server schema. To execute the

ldapschema utility in the Extend mode

, most

LDAP directory servers require specifying the distinguished name and password of an administrator

who has permissions to modify the schema on that server.

ldapschema uses the following XML ﬁles:

• LDAP schema deﬁnition ﬁles (see the SCHEMA DEFINITION FILE section below).

• Files containing matching rules and syntaxes supported on the LDAP server in case the LDAP server

does not provide them directly (see the LDAP DIRECTORY SERVER DEFINTION FILE section

below).

• Mapping rules for unsupported matching rules and syntaxes ﬁle (see the MAPPING UNSUPPORTED

MATCHING RULES AND LDAP SYNTAXES section below).

This manpage describes the use of

ldapschema, including the command line, environment variables

and the XML ﬁles format.

Required Command Options

ldapschema requires these options:

-q schema Queries schema status on the LDAP directory server without applying any changes to the

LDAP directory server. Schema deﬁnition is obtained from the speciﬁed schema ﬁle. See

the SCHEMA DEFINITION FILE section for details.

-e schema Extends the LDAP directory server schema with attribute types and object classes deﬁned in

the speciﬁed schema . Schema deﬁnition is obtained from the schema ﬁle. See the SCHEMA

DEFINITION FILE section for details. On most LDAP directory servers this option requires

specifying the -D binddn option and either the -j filename or the -w - option to

specify the credentials of an administrator who has permissions to modify the schema on the

directory server.

-T ds_type Speciﬁes the type of LDAP directory server. The following types of LDAP directory servers

are fully supported by ldapschema:

Type of Directory Server ds_type

Active Directory Server ads

Red Hat Directory Server rhds

HP-UX Directory Server hpds

The

ldapschema utility may work with other types of LDAPv3 directory servers, although

its behavior has not been fully validated.

HP-UX 11i v3: June 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (22 pages)

PAGE 1
ldapschema(1) ldapschema(1) NAME ldapschema - determines the status of an LDAP schema on the LDAP directory server and extends the LDAP directory server schema with new attribute types and object classes.
PAGE 2
ldapschema(1) ldapschema(1) The names of the following LDAPv3 directory servers are reserved for future support: Type of Directory Server Oracle Internet Directory Novell e-Directory IBM Tivoli Directory Server MAC OS X Directory Server Computer Associates DS Sun ONE Directory Server iPlanet Directory Server ds_type oracle eDirectory ibm mac ca sun iPlanet -V ds_version Specifies the version of LDAP directory server.
PAGE 3
ldapschema(1) ldapschema(1) -ZZ Starts TLS request. -ZZZ Enforces start of TLS request (requires successful server response). -P path Specifies path to SSL certificate database containing cert8.db and key3.db files. Default: /etc/opt/ldapux. -3 Verifies hostnames in SSL certificates. -s - Disables syntax substitution in attribute types.
PAGE 4
ldapschema(1) ldapschema(1) LDAP_HOST uses the following format: hostname :port . If port is not specified, the default port number is 389 for regular connections, or 636 for SSL connections. Options specified on the command line override the environmental variables. For example, if -j /tmp/secret.txt is specified on the command line, and LDAP_BINDCRED environmental variable is set, the password of the LDAP directory server administrator is obtained from file name /tmp/secret.txt.
PAGE 5
ldapschema(1) Line Line Line Line Line Line Line Line Line Line Line ldapschema(1) 30: 31: 32: 1.3.18.0.2.6.253 33: printerLPR 34: LPR information 35: AUXILIARY 36: printer-name 37: printer-aliases 38: 39: 40: Lines 1-2 are required in every schema definition file. Attribute type and object class definitions closely follow the format specified in RFC 2252.
PAGE 6
ldapschema(1) ldapschema(1) Optional, use if the NO-USER-MODIFICATION flag is set. At most one noUserModification flag can be specified. Optional, must contain one of the following possible values: userApplications, directoryOperation, distributedOperation, or dSAOperation. At most one usage value can be specified. Optional, use if an attribute type requires indexing. At most one indexed flag can be set.
PAGE 7
ldapschema(1) ldapschema(1) same schema definition file. Optional, use if an object class has optional attributes. The specified attributes must already exist on the LDAP directory server, or must its definition must be specified in the same schema definition file. Optional. Defines the recommended attribute to use for the Relative Distinguished Name (RDN) for new entries created with this object class. Currently, applies only to Active Directory Server (ADS).
PAGE 8
ldapschema(1) Line Line Line Line Line Line Line Line Line Line Line Line Line Line Line Line Line Line Line ldapschema(1) 1: 2: 1.23.456.7.89101112.1.314.1.51.6 3: sampleAttribute 4: my-sample-attribute 6: caseIgnoreMatch 7: 1.3.6.1.4.1.1466.115.121.1.15 8: PAGE 9
ldapschema(1) ldapschema(1) LDAP DIRECTORY SERVER DEFINTION FILE In order to properly install new attribute types on the LDAP directory server schema, the ldapschema utility needs to determine whether the LDAP server supports the matching rules and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs an LDAP search for supported matching rules and syntaxes on the LDAP server.
PAGE 10
ldapschema(1) ldapschema(1) Defining Matching Rules Each can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. Required. At least one matching rule type name must be specified. Do not use quotes around the name values. Optional. At most one description can be specified. Optional, use only if applicable.
PAGE 11
ldapschema(1) ldapschema(1) 1.3.6.1.4.1.1466.115.121.1.15 Directory String syntax. integerMatch numericStringMatch 1.3.6.1.4.1.1466.115.121.1.26 IA5 String syntax. 2.5.5.
PAGE 12
ldapschema(1) ldapschema(1) EXAMPLES To query the status of RFC 3712 schema on the HP-UX Directory Server 8.1, execute the following command: ldapschema -q /etc/opt/ldapux/schema/rfc3712.xml -T hpds -V 8.1 Note that LDAP directory server version number bears no effect unless also specified in the XML files being processed. Version specification must follow the same format as version specification used in the /etc/opt/ldapux/schema/rfc3712.xml and /etc/opt/ldapux/schema/map-rules.xml files.
PAGE 13
ldapschema(1) ldapschema(1) [The SCHEMA_FOUND message indicates one or more attribute type or object class definitions specified in the file are already installed in the LDAP server schema. Such elements will be excluded from being extended on the LDAP server. Only attribute types and object classes with new and unique numeric oids and names can be added to the LDAP server schema. Check the messages containing ATTRIB_FOUND and OBJECT_FOUND described below for details.
PAGE 14
ldapschema(1) ldapschema(1) SCHEMA_INVALID: file "" contains one or more invalid definitions of attribute types and/or object classes. Review the messages above and correct any errors in the schema definition file. [The SCHEMA_INVALID message indicates some of the attribute types and/or object classes specified in the file have invalid definitions. This condition occurs if the definition does not conform to the LDAP directory server schema policies or the DTD template.
PAGE 15
ldapschema(1) ldapschema(1) directoryOperation, distributedOperation, dSAOperation or userApplications. Any other usage values are rejected. If the tag is not specified in the definition, the default attribute type usage value is userApplications. See RFC 2252 for details.] ---------------------------------------------------------------------- ATTRIB_INVALID: attribute type "" has an invalid numericoid.
PAGE 16
ldapschema(1) ldapschema(1) [This message indicates the supertype specified with the tag in the given attribute type definition is undefined. Edit the file to correct the name of the supertype in the attribute type definition. The supertype used in the attribute type definition must be defined either in the LDAP directory server schema or in the file before this attribute type can be installed.
PAGE 17
ldapschema(1) ldapschema(1) because it is already part of the LDAP schema. [This message indicates the LDAP directory server schema already includes a definition of an attribute type definition with the same numeric oid or name.] ---------------------------------------------------------------------- ATTRIB_REJECTED: attribute type "" will not be added to the LDAP server schema because its definition is invalid. [This message indicates definition of the specified attribute type is invalid.
PAGE 18
ldapschema(1) ldapschema(1) See RFC 2252 for details.] ---------------------------------------------------------------------- OBJECT_INVALID: object class "

ldapschema.1 (2010 09)

Summary of content (22 pages)

PAGE 19

PAGE 20

PAGE 21

PAGE 22