Re: Building an LDAP database 'for dummies'

["Pierangelo Masarati" <ando@sys-net.it>]

> Howard Chu wrote:
>
>> So - "What is this tree?" - the tree is the structure you design to
>> contain the data you're going to store. Schema is just a description
>> of what kinds of data will be recognized by the server, but it doesn't
>> say anything about the location of the data. The tree structure gives
>> you the location.
>
> But WHERE is this structure I design? Is it the statements in my LDIF
> file? Is it in slapd.conf? That file includes a suffix statement and
> some include statements for schema files. Is the schema the definition
> of the hierarchy?

The structure is the data itself that you put in, by way of its DN
(distinguished name; yes, starting from an LDIF file, in any case
from some client that feeds the directory).  The slapd.conf provides
the entry point by way of the "suffix" directive which states, for
each "database" served by your slapd (there could be more than one),
what suffix (trailing part of the DN) that slapd is serving.

Note that the suffix can be the empty string, "", for those who want
to serve, say, any trailing part; this is not the usual case.  Typical
suffixes are, for "Example, Inc." in the US, "o=Example,c=US"; or,
if the same comopany registered the domain "example.com",
"dc=example,dc=com".

>
> I understand the concept of hierarchy. Do I have to define everything up
> to the entire universe? There is an "objectClass: top" statement that
> should allow me to stop at some lower level.
>
> My hierarchy is:
>
>   This database
>           Users with attributes such as email address, phone number, etc.
>
> My suffix statement (organization is the top of my hierarchy):
> suffix o=MyOrg
>
> My LDIF (just one user entry):
>
> dn: o=MyOrg
> objectclass: top
> objectclass: person
> objectclass: organization
> o: MyOrg

This is wrong because "person" and "organization" cannot be classes
of the same entry.  This is something that is hard to learn by example,
a good tutorial is mandatory.  Although o=MyOrg is not a common choice,
it's perfectly fine. You should do:

<file.ldif>
# LDIF treats lines starting with `#' as comments

# root of the database
dn: o=MyOrg
# objectClass: top is implicit in objectClass inheritance rules
objectClass: organization
# It is mandatory that those attributes and values
# used in the leftmost part of a DN are defined in the entry
o: MyOrg

# a place where to store users...
dn: ou=People,o=MyOrg
objectClass: organizationalUnit
ou: People

# a user
dn: cn=Jonathan Coles,ou=People,o=MyOrg
# inetOrgPerson is much better than person because
# it can contain more useful data
objectClass: inetOrgPerson
# cn and sn are required by inetOrgPerson by way of its ancestors...
cn: Jonathan Coles
sn: Coles
mail: jcoles0727@rogers.com
# add whatever else you like, provided it's allowed by inetOrgPerson...
</file.ldif>

Note that usually you need to authenticate to write to a database.
You will also need access control, so you definitely need to find
good documentation and tutorials to start.  Check out the FAQ for
directions, then google around.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497