D2.3: Models

 

LDAP schema

Presentation

The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing directory services, which can be seen as specialised databases, e.g. over the internet. It replaces its predecessor, the Directory Access Protocol (DAP), which has not become widely accepted due to its complexity. Version v3 of the LDAP is specified in RFC3377. A main feature of the LDAP is its focus on security aspects, it provides AAA (authentication, authorisation and accounting) functionality to secure the information within directory services by supporting encryption between the client and the directory server, and by providing access control lists (ACLs) defining who may access specific directory entries or parts thereof. 

An LDAP directory contains entries in a hierarchical structure. A directory entry may refer to any kind of entity, object, or resource. Each entry is identified by a distinguished name (dn), and consists of one or more attributes, i.e. type-value pairs. A directory schema specifies a set of rules defining what may be stored in a directory, the valid attribute types etc. 

Table 1 shows an example of a LDAP directory entry representing a person. The attribute types used in the example are commonly used and therefore given as short keyword names. 

Table : An Exemplary LDAP Directory Entry

 

 

Presentation: application to higher education

The EDUCAUSE/Internet2 eduPerson task force has the mission of defining an LDAP object class that includes widely-used person attributes in higher education. 

In particular EDUCAUSE has defined an LDAP schema for representing the person in an educational environment. 

 

 

 

 

 

 

 

 

top 

1. Person 

   1. sn TDIRNAME_NAME (mandatory) 

   2. cn TDIRNAME_NAME (mandatory) 

   3. description (string) 

   4. seeAlso (string) 

   5. telephoneNumber TDIRTELE_TELEPHONE 

   6. userPassword (string) 

   7. organizationalPerson 

      1. title PRSN_WORKING_TITLE  

      2. ou TDIRORGN_ORGAN 

      3. preferredDeliveryMethod (string) 

      4. st ADDR_STATE_CD 

      5. telexNumber (string) 

      6. l unknown 

      7. telephoneNumber TDIRTELE_TELEPHONE  

      8. physicalDeliveryOfficeName (string) 

      9. postalCode ADDR_ZIP_CD 

      10. internationalISDNNumber (string) 

      11. x121Address (string) 

      12. registeredAddress TDIRADDR_ADDRESS fields from appropriate type record. 

      13. street TDIRADDR_ADDRESS  

      14. postalAddress TDIRADDR_ADDRESS 

      15. facsimileTelephoneNumber TDIRTELE_TELEPHONE  

      16. teletexTerminalIdentifier (string) 

      17. postOfficeBox ADDR_…  

      18. destinationIndicator (string) 

      19. inetOrgPerson 

          1. userCertificate DGCR_DIGITAL_CR from appropriate type  

          2. uid TDIRIDEN_IDENTFIER 

          3. homePostalAddress TDIRADDR_ADDRESS 

          4. employeeType unknown 

          5. preferredLanguage PRSN_PREF_LANG 

          6. mail PRSN_UF_EMAIL_AD/ORGN_UF_EMAIL_AD 

          7. homePhone TDIRTELE_TELEPHONE 

          8. roomNumber (string) 

          9. x500UniqueIdentifier TDIRDGCR_DIGITALCR 

          10. employeeNumber PRSN_UFID 

          11. photo (string) 

          12. businessCategory (string) 

          13. pager TDIRTELE_TELEPHONE 

          14. o ORGN_DISPLAY_NM 

          15. jpegPhoto (string) 

          16. secretary unknown 

          17. audio (string) 

          18. userPKCS12 DGCR_DIGITAL_CR from appropriate type  

          19. displayName ORGN_DISPLAY_NM/PRSN_DISPLAY_NM  

          20. mobile TDIRTELE_TELEPHONE 

          21. labeledURI unknown 

          22. carLicense (string) 

          23. givenName TDIRNAME_NAME 

          24. manager (string) 

          25. userSMIMECertificate DGCR_DIGITAL_CR from appropriate type 

          26. initials TDIRNAME_NAME inetOrgPerson  

          27. departmentNumber ORGN_UFID 

          28. eduPerson 

              1. eduPersonOrgUnitDN relationships  

              2. eduPersonOrgDN relationships 

              3. eduPersonPrincipalName CMAC_USERID of GatorLink type, + @UFL.EDU 

              4. eduPersonNickname TDIRNAME_NAME 

              5. eduPersonAffiliation relationships 

              6. eduPersonPrimaryAffiliation PRSN_PRI_AFF_TYPE 

   8. residentialPerson 

      1. l (string) (mandatory) 

      2. preferredDeliveryMethod NONE 

      3. st ADDR_STATE_CD 

      4. businessCategory (string) 

      5. telexNumber (string) 

      6. telephoneNumber TDIRTELE_TELEPHONE 

      7. physicalDeliveryOfficeName (string) 

      8. postalCode ADDR_ZIP_CD 

      9. internationalISDNNumber (string) 

      10. x121Address (string) 

      11. registeredAddress TDIRADDR_ADDRESS fields from appropriate type record. 

      12. street TDIRADDR_ADDRESS  

      13. postalAddress TDIRADDR_ADDRESS 

      14. facsimileTelephoneNumber TDIRTELE_TELEPHONE 

      15. teletexTerminalIdentifier (string) 

      16. postOfficeBox ADDR_… residentialPerson  

      17. destinationIndicator (string) 

 

 

Example 1: An simple LDAP file with two entries 

 

version: 1 

dn: cn=Barbara Jensen, ou=Product Development, dc=airius, dc=com 

objectclass: top 

objectclass: person 

objectclass: organizationalPerson 

cn: Barbara Jensen 

cn: Barbara J Jensen 

cn: Babs Jensen 

sn: Jensen 

uid: bjensen 

telephonenumber: +1 408 555 1212 

description: A big sailing fan. 

 

dn: cn=Bjorn Jensen, ou=Accounting, dc=airius, dc=com 

objectclass: top 

objectclass: person 

objectclass: organizationalPerson 

cn: Bjorn Jensen 

sn: Jensen 

telephonenumber: +1 408 555 1212 

 

References

RFC 2849 - The LDAP Data Interchange Format (LDIF) - Technical Specification, June 2000 

http://www.faqs.org/rfcs/rfc2849.html

 

 

32 / 53