OpenLDAPAdminGuide/SchemaSpecification

来自Ubuntu中文
跳到导航跳到搜索

Schema Specification(模式说明)

This chapter describes how to extend the user schema used by slapd(8). The chapter assumes the reader is familar with the LDAP/X.500 information model.
本章描述了如何扩展用于 slapd 的用户模式。本章假设读者已经熟悉 LDAP/X.500 信息模式。

The first section, Distributed Schema Files details optional schema definitions provided in the distribution and where to obtain other definitions. The second section, Extending Schema, details how to define new schema items.
第一部分:已发布的模式文件详述了在发布中提供的可选模式定义以及在何处可以获得其他定义。第二部分:扩展模式详述了如何定义新模式项。

This chapter does not discuss how to extend system schema used by slapd(8) as this requires source code modification. System schema includes all operational attribute types or any object class which allows or requires an operational attribute (directly or indirectly).
本章不讨论如何扩展用于 slapd 的系统模式,这要求修改原代码。系统模式包括所有的操作属性类型,以及任何允许或要求操作属性(直接或间接)的对象类。

Distributed Schema Files(已发布的模式文件)

OpenLDAP is distributed with a set of schema specifications for your use. Each set is defined in a file suitable for inclusion (using the include directive) in your slapd.conf(5) file. These schema files are normally installed in the /usr/local/etc/openldap/schema directory.
OpenLDAP 为您的使用发布了一系列的模式说明。每套都被定义在一个文件里,该文件适合包含(使用包含指令)在您的 slapd.conf(5) 文件中。这些模式文件通常被安装在 /usr/local/etc/openldap/schema 目录中。

Table 8.1: Provided Schema Specifications

File Description
core.schema OpenLDAP core (required)
cosine.schema Cosine and Internet X.500 (useful)
inetorgperson.schema InetOrgPerson (useful)
misc.schema Assorted (experimental)
nis.schema Network Information Services (FYI)
openldap.schema OpenLDAP Project (experimental)

To use any of these schema files, you only need to include the desired file in the global definitions portion of your slapd.conf(5) file. For example:
要使用这些模式文件,您只需将所需文件包括在您 slapd.conf(5) 文件的全局定义部分。例如:

# include schema
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

Additional files may be available. Please consult the OpenLDAP FAQ (http://www.openldap.org/faq/).
也可以获得其他的文件。请参考 OpenLDAP FAQ(http://www.openldap.org/faq/)。


Note: You should not modify any of the schema items defined in provided files.
注意:您不应该修改所提供文件中任何模式项的定义。


Extending Schema(扩展模式)

Schema used by slapd(8) may be extended to support additional syntaxes, matching rules, attribute types, and object classes. This chapter details how to add user application attribute types and object classes using the syntaxes and matching rules already supported by slapd. slapd can also be extended to support additional syntaxes, matching rules and system schema, but this requires some programming and hence is not discussed here.
可以扩展用于 slapd(8) 的模式以支持额外的语法、匹配规则、属性类型以及对象类。本章详述了如何添加用户应用属性类型以及使用已被 slapd 支持的语法和匹配规则。slapd 也可以被扩展成支持额外语法、匹配规则和系统模式,但这需要进行部分编程,因此在这里不予讨论。

There are five steps to defining new schema:
定义新的模式有五步:

  • obtain Object Identifer(获得对象标识符)
  • choose a name prefix(选择名称前缀)
  • create local schema file(创建本地模式文件)
  • define custom attribute types (if necessary)(如果需要的话定义自定义属性类型)
  • define custom object classes(定义自定义对象类)
Object Identifiers(对象标识符)

Each schema element is identified by a globally unique Object Identifier (OID). OIDs are also used to identify other objects. They are commonly found in protocols described by ASN.1. In particular, they are heavily used by the Simple Network Management Protocol (SNMP). As OIDs are hierarchical, your organization can obtain one OID and branch it as needed. For example, if your organization were assigned OID 1.1, you could branch the tree as follows:
每个模式元素都被全球唯一的对象标识符(OID)所标识。OID 也可以用来标识其他对象。它们一般通过 ASN.1 描述的协议中找到。特别是它们被广泛使用在简单网络管理协议(SNMP)。因为 OID 是分层次的,因此您的组织可以获得一个 OID 并根据需要进行分支扩展。例如,如果您的组织被指定的 OID 是 1.1,那么您可以如下所示对该树进行分支扩展:

Table 8.2: Example OID hierarchy

OID Assignment
1.1 Organization's OID
1.1.1 SNMP Elements
1.1.2 LDAP Elements
1.1.2.1 AttributeTypes
1.1.2.1.1 myAttribute
1.1.2.2 ObjectClasses
1.1.2.2.1 myObjectClass

You are, of course, free to design a hierarchy suitable to your organizational needs under your organization's OID. No matter what hierarchy you choose, you should maintain a registry of assignments you make. This can be a simple flat file or something more sophisticated such as the OpenLDAP OID Registry (http://www.openldap.org/faq/index.cgi?file=197).
当然您可以在您组织的 OID 下自由设计适合您组织所需的层次。无论您选择的层次如何,您都应该维护一个您所做的分配注册表。它可以是一个简单的纯文本文件或是更加复杂的东西如 OpenLDAP OID 注册表 (http://www.openldap.org/faq/index.cgi?file=197)。

For more information about Object Identifers (and a listing service) see http://www.alvestrand.no/harald/objectid/.
要得到更多关于对象标识符的信息(和所列的服务)请参见 http://www.alvestrand.no/harald/objectid/

Under no circumstances should you hijack OID namespace!
在任何情况下您都不要使用伪造的 OID 名字空间!

To obtain a registered OID at no cost, apply for an OID under the Internet Assigned Numbers Authority (IANA) maintained Private Enterprise arc. Any private enterprise (organization) may request an OID to be assigned under this arc. Just fill out the IANA form at http://www.iana.org/cgi-bin/enterprise.pl and your official OID will be sent to you usually within a few days. Your base OID will be something like 1.3.6.1.4.1.X where X is an integer.
为了免费得到注册的 OID,可以向维护 Private Enterprise arch 的 Internet Assigned Numbers Authority (IANA) 申请一个 OID。任何私有企业(组织)都可以申请在该 arc 下 OID。只需填写在 http://www.iana.org/cgi-bin/enterprise.pl 中的 IANA 表单,一般在几天之后您的官方 OID 将被发送给您。您的基 OID 将会是如 1.3.6.1.4.1.X 其中 X 是个整数。


Note: Don't let the "MIB/SNMP" statement on the IANA page confuse you. OIDs obtained using this form may be used for any purpose including identifying LDAP schema elements.
注意:不要让 IANA 页面上的 "MIB/SNMP" 声明迷惑您。用这个表单获得的 OID 可以用于任何目的,包括标识 LDAP 模式元素。


Alternatively, OID name space may be available from a national authority (e.g., ANSI, BSI).
此外,OID 名称空间也可以来自国家级的权威机构(如 ANSI、BSI)。

Name Prefix(名称前缀)

In addition to assigning a unique object identifier to each schema element, you should provide a least one textual name for each element. The name should be both descriptive and not likely to clash with names of other schema elements. In particular, any name you choose should not clash with present or future Standard Track names.
除了为每个模式元素分配一个唯一的对象标识符之外,您还应该为每个元素提供至少一个文本名。该名称应该即有描述性又不会与其他模式元素冲突。尤其是您所选的任何名称都不应该与已使用或将要使用的标准路径名(Standard Track name)。

To reduce (but not eliminate) the potential for name clashes, the convention is to prefix names of non-Standard Track with a few letters to localize the changes to your organization. The smaller the organization, the longer your prefix should be.
要减少(但不是消除)潜在的名称冲突,通常是在非标准路径名前增加几个字母的前缀来定位您组织名的改变。组织名越短,您的前缀就应该越长。

In the examples below, we have chosen a short prefix 'my' (to save space). Such a short prefix would only be suitable for a very large, global organization. In general, we recommend something like 'deFirm' (German company) or 'comExample' (elements associated with organization associated with example.com).
在下面的示例中,我们选择短前缀 'my' (为了节省空间)。这么短的前缀只适用于非常大型的、全球性的组织。通常情况下,我们推荐象 'deFirm' (德国公司)或 'comExample' (与 example.com 组织相关的元素)。

Local schema file(本地模式文件)

The objectclass and attributeTypes configuration file directives can be used to define schema rules on entries in the directory. It is customary to create a file to contain definitions of your custom schema items. We recommend you create a file local.schema in /usr/local/etc/openldap/schema/local.schema and then include this file in your slapd.conf(5) file immediately after other schema include directives.
objectclass 和 attributeTypes 配置文件指令可以被用来定义目录中条目的模式规则。习惯是创建一个包含您定制模式项定义的文件。我们建议您在 /usr/local/etc/openldap/schema/ 目录中创建 local.schema 文件,然后将该文件包含在您 slapd.conf(5) 文件中其他 schema 包含指令之后。

# include schema
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# include local schema
include /usr/local/etc/openldap/schema/local.schema
Attribute Type Specification(属性类型定义)

The attributetype directive is used to define a new attribute type. The directive uses the same Attribute Type Description (as defined in RFC2252) used by the attributeTypes attribute found in the subschema subentry, e.g.:
attributetype 指令用来定义新的属性类型。该指令使用与子模式子条目中的 attributeTypes 属性相同的 Attribute 类型说明(正如 RFC2252 中所定义的相同),如:

attributetype <RFC2252 Attribute Type Description>

where Attribute Type Description is defined by the following BNF:
其中 Attribute Type Description 按如下 BNF 定义:

AttributeTypeDescription = "(" whsp
numericoid whsp              ; AttributeType identifier
[ "NAME" qdescrs ]             ; name used in AttributeType
[ "DESC" qdstring ]            ; description
[ "OBSOLETE" whsp ]
[ "SUP" woid ]                 ; derived from this other
; AttributeType
[ "EQUALITY" woid              ; Matching Rule name
[ "ORDERING" woid              ; Matching Rule name
[ "SUBSTR" woid ]              ; Matching Rule name
[ "SYNTAX" whsp noidlen whsp ] ; Syntax OID
[ "SINGLE-VALUE" whsp ]        ; default multi-valued
[ "COLLECTIVE" whsp ]          ; default not collective
[ "NO-USER-MODIFICATION" whsp ]; default user modifiable
[ "USAGE" whsp AttributeUsage ]; default userApplications
whsp ")"

AttributeUsage =
"userApplications"     /
"directoryOperation"   /
"distributedOperation" / ; DSA-shared
"dSAOperation"          ; DSA-specific, value depends on server

where whsp is a space (' '), numericoid is a globally unique OID in dotted-decimal form (e.g. 1.1.0), qdescrs is one or more names, woid is either the name or OID optionally followed by a length specifier (e.g {10}).
其中,whsp 是空格符(' '),numericoid 是十进制数加点格式的全局唯一 OID(如 1.1.0),qdescrs 是一个或多个名称,woid 要么是名称、要么是在 OID 后可选的长度说明(如 {10})。

For example, the attribute types name and cn are defined in core.schema as:
例如,属性类型名和 cn 在 core.schema 中定义如下:

attributeType ( 2.5.4.41 NAME 'name'
DESC 'name(s) associated with the object'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributeType ( 2.5.4.3 NAME ( 'cn' 'commonName' )
DESC 'common name(s) assciated with the object'
SUP name )

Notice that each defines the attribute's OID, provides a short name, and a brief description. Each name is an alias for the OID. slapd(8) returns the first listed name when returning results.
注意每定义一个属性 OID 都提供一个简称以及一个简要的说明。每个名字都是 OID 的一个别名。在返回结果时 slapd(8) 将返回第一个列出的名字。

The first attribute, name, holds values of directoryString (UTF-8 encoded Unicode) syntax. The syntax is specified by OID (1.3.6.1.4.1.1466.115.121.1.15 identifies the directoryString syntax). A length recommendation of 32768 is specified. Servers should support values of this length, but may support longer values The field does NOT specify a size constraint, so is ignored on servers (such as slapd) which don't impose such size limits. In addition, the equality and substring matching uses case ignore rules. Below are tables listing commonly used syntax and matching rules (OpenLDAP supports these and many more).
每一个属性 name 保留了 directoryString (UTF-8 编码)语法值。该语法由 OID(1.3.6.1.4.1.1466.115.121.1.15 指定的 directoryString 语法)说明,并指定了推荐长度32768。服务器应该支持该长度值,但也可以支持更长的值。该域并未指明长度限制,因此会被不能强制进行长度限制的服务器(如 slapd)所忽略。另外 equality 和 substring 匹配使用忽略大小写的规则。下表列出了常用语法和匹配规则(OpenLDAP 支持这些以及更多)。

Table 8.3: Commonly Used Syntaxes(常用语法)

Name OID Description
boolean 1.3.6.1.4.1.1466.115.121.1.7 boolean value
directoryString 1.3.6.1.4.1.1466.115.121.1.15 Unicode (UTF-8) string
distinguishedName 1.3.6.1.4.1.1466.115.121.1.12 LDAP DN
integer 1.3.6.1.4.1.1466.115.121.1.27 integer
numericString 1.3.6.1.4.1.1466.115.121.1.36 numeric string
OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
octetString 1.3.6.1.4.1.1466.115.121.1.40 arbitary octets

Table 8.4: Commonly Used Matching Rules(常用匹配规则)

Name Type Description
booleanMatch equality boolean
caseIgnoreMatch equality case insensitive, space insensitive
caseIgnoreOrderingMatch ordering case insensitive, space insensitive
caseIgnoreSubstringsMatch substrings case insensitive, space insensitive
caseExactMatch equality case sensitive, space insensitive
caseExactOrderingMatch ordering case sensitive, space insensitive
caseExactSubstringsMatch substrings case sensitive, space insensitive
distinguishedNameMatch equality distinguished name
integerMatch equality integer
integerOrderingMatch ordering integer
numericStringMatch equality numerical
numericStringOrderingMatch ordering numerical
numericStringSubstringsMatch substrings numerical
octetStringMatch equality octet string
octetStringOrderingStringMatch ordering octet string
octetStringSubstringsStringMatch ordering octet string
objectIdentiferMatch equality object identifier

The second attribute, cn, is a subtype of name hence it inherits the syntax, matching rules, and usage of name. commonName is an alternative name.
第二个属性 cn 是 name 的子类型,因此它继承语法、匹配规则以及 name 的用法。commonName 是其别名。

Neither attribute is restricted to a single value. Both are meant for usage by user applications. Neither is obsolete nor collective.
这两个属性都没有限制成单值、都可以被用户程序使用。它们即不会过期也不会合并。

The following subsections provide a couple of examples.
以下内容给出几个示例。

myUniqueName

Many organizations maintain a single unique name for each user. Though one could use displayName (RFC2798), this attribute is really meant to be controlled by the user, not the organization. We could just copy the definition of displayName from inetorgperson.schema and replace the OID, name, and description, e.g:
许多组织都为每个用户维护单个唯一名。虽然可以使用 displayName(RFC2798),但该属性实际上是被用户所控制,而不是组织。我们只需从 inetorgperson.schema 中复制 displayName 的定义并重新定义其 OID、name 以及描述,如:

attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
DESC 'unique name with my organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

However, if we want this name to be included in name assertions [e.g. (name=*Jane*)], the attribute could alternatively be defined as a subtype of name, e.g.:
然而,如果我们想该名称包含在 name 声明中 [如 (name=*Jane*)]的话,该属性也可以定义成 name 的子类型,如:

attributetype ( 1.1.2.1.1 NAME 'myUniqueName'
DESC 'unique name with my organization'
SUP name )
myPhoto

Many organizations maintain a photo of each each user. A myPhoto attribute type could be defined to hold a photo. Of course, one could use just use jpegPhoto (RFC2798) (or a subtype) to hold the photo. However, you can only do this if the photo is in JPEG File Interchange Format. Alternatively, an attribute type which uses the Octet String syntax can be defined, e.g.:
许多组织维护每个用户的相片。可以定义一个 myPhoto 属性类型来保存相片。当然可以只用 jpegPhoto(RFC2798)(或其子类型)来保存相片。然而,您只有在相片是 JPEG 文件交换格式时才能这么做。一个替换方法是定义一个使用 Octet String 语法的属性类型,如:

attributetype ( 1.1.2.1.2 NAME 'myPhoto'
DESC 'a photo (application defined format)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )

In this case, the syntax doesn't specify the format of the photo. It's assumed (maybe incorrectly) that all applications accessing this attribute agree on the handling of values.
在这种情况下,该语法并没有指定相片的格式。它假设(也许不正确)所有访问该属性的应用程序就其值的处理保持一致。

If you wanted to support multiple photo formats, you could define a separate attribute type for each format, prefix the photo with some typing information, or describe the value using ASN.1 and use the ;binary transfer option.
如果您想支持多个相片格式,您可以为每个格式单独定义一个属性类型、为拥有一些类型信息的相片添加前缀、使用 ASN.1 来描述该值或使用 ;binary 传输选项。

Another alternative is for the attribute to hold a URI pointing to the photo. You can model such an attribute after labeledURI (RFC2079) or simply create a subtype, e.g.:
另一个替代方案就是为该属性保存一个指向该相片的 URI。您可以在 labeledURI(RFC2079)之后定义该属性或者简单地创建一个子类型,如:

attributetype ( 1.1.2.1.3 NAME 'myPhotoURI'
DESC 'URI and optional label referring to a photo'
SUP labeledURI )
Object Class Specification(对象类说明)

The objectclasses directive is used to define a new object class. The directive uses the same Object Class Description (as defined in RFC2252) used by the objectClasses attribute found in the subschema subentry, e.g.:
objectclasses 指令用来定义一个新的对象类。该指令使用与子模式子条目中找到的 objectClasses 属性使用相同的属性类型描述(正如 RFC2252 中所定义的相同)。比如:

objectclass <RFC2252 Object Class Description>

where Object Class Description is defined by the following BNF:
其中 Attribute Type Description 按如下 BNF 定义

ObjectClassDescription = "(" whsp
numericoid whsp      ; ObjectClass identifier
[ "NAME" qdescrs ]
[ "DESC" qdstring ]
[ "OBSOLETE" whsp ]
[ "SUP" oids ]       ; Superior ObjectClasses
[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ]
; default structural
[ "MUST" oids ]      ; AttributeTypes
[ "MAY" oids ]       ; AttributeTypes
whsp ")"

where whsp is a space (' '), numericoid is a globally unique OID in numeric form (e.g. 1.1.0), qdescrs is one or more names, and oids is one or more names and/or OIDs.
其中,whsp 是空格符(' '),numericoid 是十进制数加点格式的全局唯一 OID(如 1.1.0),qdescrs 是一个或多个名称,oids 则是一个或多个名称或 OID。

myPhotoObject

To define an auxiliary object class which allows myPhoto to be added to any existing entry.
定义一个 auxiliary 对象类以允许在任何已有的条目中添加 myPhoto。

objectclass ( 1.1.2.2.1 NAME 'myPhotoObject'
DESC 'mixin myPhoto'
AUXILIARY
MAY myPhoto )
myPerson

If your organization would like have a private structural object class to instantiate users, you can subclass one of the existing person classes, such as inetOrgPerson (RFC2798), and add any additional attributes which you desire.
如果您的组织想要用一个私有结构对象类来表示用户的话,您可以生成一个已有 person 类的子类,如 inetORgPerson(RFC2798),并添加您所要的附加属性。

objectclass ( 1.1.2.2.2 NAME 'myPerson'
DESC 'my person'
SUP inetOrgPerson
MUST ( myUniqueName $ givenName )
MAY myPhoto )

The object class inherits the required/allowed attribute types of inetOrgPerson but requires myUniqueName and givenName and allows myPhoto.
本对象类继承 inetOrgPerson 所要求/允许的属性类型但要求 myUniqueName 和 givenName,并允许 myPhoto。

OID Macros(OID 宏)

To ease the management and use of OIDs, slapd(8) supports Object Identifier macros. The objectIdentifier directive is used to equate a macro (name) with a OID. The OID may possibly be derived from a previously defined OID macro. The slapd.conf(5) syntax is:
为了便于管理和使用 OID,slapd(8) 支持对象标识符宏。objectIdentifier 指令被用于与 OID 等价的宏(名)。OID 也可以从以前定义的 OID 宏派生。slapd.conf(5) 的语法是:

objectIdentifier <name> { <oid> | <name>[[UbuntuHelp:<suffix>]] }

The following demonstrates definition of a set of OID macros and their use in defining schema elements:
下面展示了一系列的 OID 宏定义以及它们在定义模式元素中的用户。

objectIdentifier myOID  1.1
objectIdentifier mySNMP myOID:1
objectIdentifier myLDAP myOID:2
objectIdentifier myAttributeType        myLDAP:1
objectIdentifier myObjectClass  myLDAP:2
attributetype ( myAttributeType:3 NAME 'myPhotoURI'
DESC 'URI and optional label referring to a photo'
SUP labeledURI )
objectclass ( myObjectClass:1 NAME 'myPhotoObject'
DESC 'mixin myPhoto'
AUXILIARY
MAY myPhoto )