new blog 2.0


0x08. [LPIC-301] LDAP - OpenLDAP customizing - schema files

(This article is based on Section 9 of LDAP Admin Guide 2.3
  1. in default OpenLDAP installation schema files reside in /usr/local/etc/openldap/schema. If you install OpenLDAP as a package from your distribution you will find the files in /etc/openldap/schema
  2. Schema files have to be included from under slapd.conf with the 'include' directive. slapd.conf normally starts with schema inclusion
  3. 6 schema files are distributed along with OpenLDAP, these are: (table ripped off directly from here)
    Table 8.1: Provided Schema Specifications
    File Description
    core.schema OpenLDAP core (required)
    cosine.schema Cosine and Internet X.500 (useful)
    inetorgperson.schema InetOrgPerson (useful)
    misc.schema Assorted (experimental)
    nis.schema Network Information Services (FYI)
    openldap.schema OpenLDAP Project (experimenta
  4. inetorgperson.schema is dependent on cosine.schema
  5. Schema files distributed with the directory should never be modified. You should create new schema if you want to extend objectClasses and attributes.
  6. OpenLDAP Admin Guide version 2.3 defines five steps while creating new schemas:
    a) obtain object identifier (OID)
    You can obtain an OID for your enterprise with IANA ( An OID is a number in dot-decimal notation, uniquely identifying your organization. It has a similar format:, where X is an integer number representing you.
    b) choose a name prefix
    You should come up with a name prefix added to every attribute and object class in your schema. This way you avoid confusion with other non-standard schemas. An encouraged format for the prefix is topleveldomainCompanyname, e.g. deFirma, ieCompany, plFirma, tuxPorta
    c) create local schema file
    A customary name for your local schema file would be local.schema, but it fact it can be called whatever you want. Your local file should be included at the end of all other schema inclusions in slapd.conf
    d) define custom attribute types (if necesarry)
    Creating attributes is best described and illustrated with examples in RFC 2252. An attribute defined in a schema file should contain at minimum name(s), description and attribute syntax expressed as an OID. The list of attribute syntaxes and associated OID can be found in OpenLDAP Admin Guide 2.3, table 8.3 - Commonly used Syntaxes
    e) define custom object classes
    Object classes are defined in the schema file at the end following the definition of the attributes. Simplified object class definition has the following format:
        ObjectClass ( OID-in-numeric-format
    NAME "object-class-name-in-qdescrs-format"
    DESC "object-class-description-in-qdstring"
    OBSOLETE ; only to denote obsolete class
    SUP ( superior $ objectclasses $ separeted $ byDollar )
    MUST ( OIDs $ of $ mandatory $ attrs $ separated $ byDollar )
    MAY ( OIDs $ of $ optional $ attrs $ separated $ byDollar )

No comments: