[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: general question on objectclass

To: openldap-software@OpenLDAP.org
Subject: Re: general question on objectclass
From: Zenon Panoussis <openldaplists@provocation.net>
Date: Thu, 04 Mar 2004 11:36:23 +0100
In-reply-to: <F15BAE65B0D7D046A15A8CDB469D0E650147F7@zombie.seaan.net>
References: <F15BAE65B0D7D046A15A8CDB469D0E650147F7@zombie.seaan.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040126


mailinglists wrote:

> I could not find any documentation about how to use 'objectclass='.
> There are several parameters like organization, person, top and so on
> that can or can't be set. Seems to be a hierachical thing.

It is. In short, a directory consists of objects and the
objects have properties. Object classes denote the type
of object, attributes denote its qualities.

For example, if you would put a human and his dog in a
directory (or a dog and his human, that's subjective),
you would have something like

objectClass: person
cn: Dagobert

objectClass: dog
cn: Dogbert

Obviously, certain qualities can only belong to certain
types of objects. A computer can have an IP address. A
dog cannot. Therefore, the schema will not let you make
an entry like

objectClass: dog
cn: Dogbert
ipHostNumber: 192.168.8.32

Aaccording to the author of your schema this wouldn't make
any sense, so LDAP will reject it. Of course, if Dogbert
can speak IP natively, you would write your own schema
to allow the combination.

On the other hand, an object can be of several types and
qualities at the same time, as long as the schema thinks
that the different types are compatible with each-other
and that the qualities are compatible with the types.
Therefore you can very well say

objectClass: person
objectClass: account
objectClass: posixAccount
objectClass: sambaAccount
cn: Dagobert

and with an entry like that you could (actually must)
add all the relevant account information like loginShell,
homeDirectory etc.

There are three types of object classes: structural,
auxiliary and abstract. Every object must have exactly
one structural object class. The purpose of this is
to prevent you from making entries like

objectClass: dog
objectClass: person
cn: Dogbert

You might think that Dogbert is very human, but your
schema thinks that a directory object can either be a
dog or a human, not both at the same time. Therefore,
both 'dog' and 'person' are structural object classes
and LDAP won't let you combine them with each-other.
If you browse the list archives a bit, you will see
that mixing incompatible object classes with each other
is a very common mistake.

I strongly suggest that you use gq or some other similar
graphical tool to familiarise yourself with the schema
structure and all he dependencies in it. If you are new
to LDAP, trying to read the raw schema will only confuse
you and frustrate you.

> Also, I'd like to know what I can set with 'domaincomponent='.

dn: dc=ch
objectClass: top
objectClass: domain
domainComponent: ch

dn: dc=belfin,dc=ch
objectClass: top
objectClass: domain
domainComponent: belfin

Hope this helps as a little primer.

References:
- general question on objectclass
  - From: "mailinglists" <mailinglists@belfin.ch>

Prev by Date: OpenLDAP and MD5
Next by Date: Re: forwarding search queries + auth across multiple backends
Index(es):
- Chronological
- Thread