Re: Understanding LDAP structures

To: debian-user@lists.debian.org
Subject: Re: Understanding LDAP structures
From: Michael Heironimus <mkh01@earthlink.net>
Date: Sun, 20 Apr 2003 03:04:04 -0500
Message-id: <[🔎] 20030420080404.GA15498@demonspawn.sterno.shacknet.nu>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 200304200720.28221.alan@chandlerfamily.org.uk>
References: <[🔎] 200304192151.03970.alan@chandlerfamily.org.uk> <[🔎] 58386.10.10.10.7.1050787906.squirrel@webmail.linuxpowered.net> <[🔎] 200304200720.28221.alan@chandlerfamily.org.uk>

On Sun, Apr 20, 2003 at 07:20:23AM +0100, Alan Chandler wrote:
> On Saturday 19 Apr 2003 10:31 pm, nate wrote:
> > http://howto.aphroland.de/HOWTO/LDAP
> 
> Yes - one of the clearer ones.  But I note you seem to be having some
> conceptial problems  - you say you are not really sure what
> objectClass is all about.

LDAP is sort of a hybrid of object-oriented and hierarchical data. LDAP
entries are organized in a hierarchy, but each entry is an object with
one or more parent classes (multiple inheritance, if you're a
programmer). The objectClass attribute(s) specify the parent class(es).

An objectClass is defined in a schema, it's what specifies what
attributes (data) are mandatory (MUST) and what attributes are optional
(MAY). An objectClass can be defined as structural or auxiliary, as I
recall each LDAP entry must have at least one structural objectClass.
Not all LDAP servers enforce that rule, though - I think OpenLDAP 2.0
doesn't and 2.1 does.

> So far I have set up whats there with standard debian install.  This
> asks me what the base suffix is, and thats set
> 
> dc=chandlerfamily, dc=org, dc=uk
> 
> I can now browse what I have with gq and this seems to have three sub
> sections below this.  There are
> 
> cn=admin ou=people, and ou=roaming
> 
> Now, why are these particular two letters used (ie cn, or ou) and
> where do I find out what they are.  If I go to anyone of them there
> are a whole set of parameters set - again I have no idea what they
> are.

cn=admin is an object representing your administrative account on the
LDAP server (the full DN is cn=admin,dc=chandlerfamily,dc=org,dc=uk).
It's an LDAP user account. Using the cn for the distinguished name is
really just a convention, in the past I've set up accounts using uid for
the distinguished name. That was for Websphere authentication, not for
UNIX user accounts, but I think it should work either way as long as all
the attributes are set up correctly.

ou means the entry is an "organizational unit". ou is a structural
object that logically fits under an organization (o), but doesn't
actually have to go under one in the LDAP hierarchy. An ou (and other
parts of the tree like o and dc) has its own attributes, but is also a
part of the hierachical arrangement of the data and can have other LDAP
entries under it. ou=people is the standard tree for UNIX user accounts
stored in LDAP with the NIS-compatible schema.

If you want to know more about the NIS schema for LDAP and the standard
way things are set up you should probably look at padl.com's
documentation. Most of the names and structure is really just a matter
of convention or standardization - it's not the only way you could do
it, it may not even be the best way, but it's the way software will
expect things to be and using anything else will make life difficult.
padl.com also has some scripts to automate migrating existing accounts
and data to LDAP.

-- 
Michael Heironimus

Reply to:

Follow-Ups:
- Re: Understanding LDAP structures
  - From: Alan Chandler <alan@chandlerfamily.org.uk>

References:
- Understanding LDAP structures
  - From: Alan Chandler <alan@chandlerfamily.org.uk>
- Re: Understanding LDAP structures
  - From: "nate" <debian-user@aphroland.org>
- Re: Understanding LDAP structures
  - From: Alan Chandler <alan@chandlerfamily.org.uk>

Prev by Date: Re: HOw to install sound card?
Next by Date: Re: To Do notes on Linux
Previous by thread: Newbie question about X fonts
Next by thread: Re: Understanding LDAP structures
Index(es):
- Date
- Thread