LDAP schemas

Similar Messages

• Ldap schema extension to control which users / group are imported

  Hello,
  would like to have your opinion:
  would it be a good idea to implement ldap schema extensions to control
  which users / group are imported and controlled from ldap in a ldap
  mastered installation?
  e.g. we could implement the following schema extension for users:
  attributetype ( 1.3.6.1.4.1.<iana-org-id>.1.1 NAME ( 'BogusisBeehiveUser' )
       DESC ''
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )
  # BogusinetOrgPerson
  # The BogusinetOrgPerson is derived from inetOrgPerson
  objectclass     ( 1.3.6.1.4.1.<iana-org-id>.1
  NAME 'BogusinetOrgPerson'
       DESC 'RFC2798: Internet Organizational Person, plus Bogus Extensions'
  SUP inetOrgPerson
  STRUCTURAL
       MAY (
            BogusisBeehiveUser )
  Then we could control the inclusion in beehive by simply switching
  BogusisBeehiveUser on or off.

  sure; that's pretty much what is talked about in the Install Guide for LDAP Integration under the "inclusion and exclusion" section, about here:
  http://download.oracle.com/docs/cd/E14897_01/bh.100/e14830/ldap.htm#CHDEFFJF
  that doesn't go into the specifics of how you might want to design your objectClass schemas, though, as beehive is agnostic to that.
  If you don't want to provision all users that match a certain existing rule (like everyone under dn=foo, or everyone where userType=employee), then adding a new attribute and building the profile inclusion rule around it is a valid thing to do.
  richard

• LDAP Schema Designer

  I am looking for a kind of LDAP Schema Designer , utility that can check consistency of my schema , detect redundancies ....
  Any suggestions?
  Thanks

  I don't know of any tool like that. The problem is actually not quite that simple, since LDAP does not implement a relational database per se, or have concepts about 1st, 2nd, 3rd, etc normal forms.
  If you want me to review and refine your schema for you, then you can hire me as a consultant. I have extensive experience in designing schema and modeling directory objects and DIT.
  Click my handle for my email address if interested.
  podzap

• X.509 PKI LDAP Schema for OID

  Hi,
  my question is about availability X.509 PKI LDAP Schema for OID. Does anyone know if it is possible to import already predefined schema into OID?
  Is it neccessary to folow RFC2587 and define the schema by hand?
  Any response and advice appreciated.
  Petr
  P.S.
  I am quite new in the area of OID so some my questions may seem incomrehensible.

  Hello Petr:
  You most certainly can load your own custom schema items into OiD. A few things to keep in mind when you do this.
  Make sure you load the attributes first.
  Then your objectclasses.
  Then your Catolog/indexes if you have any.
  Then load your directory entries.
  And last load any ACI's you may have.
  If you give me a few of your schema definitions I would be happy to give you an example of how to do this.
  There are many PKI venders out there and not all of them store certificates the same way. Some use standard schema attributes and others add their own custom attribute.

• What LDAP schema should I use with JMQ 2.0?

  I've just downloaded the JMS 2.0 beta for Solaris and trying to set up a admin objects store with LDAP server (NES 4.12). However I cannot find a LDAP schema file to import into the LDAP server in your release. Would it be possible to send me a copy?

  As far as I know, you don't need to import any LDAP schema into
  Netscape Directory Server 4.12 (I assume this is what you
  are using) to store the administered objects.
  Are you seeing "schema violation" errors when you use jmqobjmgr ?
  If that is the case, what lookup name are you using ? Does
  your lookup name have the form:
  "cn=myLookupName"
  In most cases (it can be overriden), LDAP servers require lookup names
  to have the above format.

• LDAP schema InetOrgPerson with Address Book

  Hi all
  I've set up a LDAP server on my linux machine.
  I use the InetOrgPerson schema.
  The MacOS-X Address Book has no problems accessing the LDAP server however I cannot get it to display homePostalAddress .. in other words multiple address fields, a work address and a home address.
  Apple has some instructions on setting upp mappings etc for LDAP here;
  http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od31.html
  I have however not been successful trying to follow that instruction.
  I was hoping someone else has had success mapping all the fields.
  Anyway I would appreciate it if someone would care to give me a helping hand with this issue. I have searched this forum and seen posting that appear to be similar but not quite (as far as my english will get me). If I have missed a posting that specifically deals with this the please point me to it.
  Thanks

  I've decided to withdraw question - solution found elsewhere

• LDAP Schema from VDS

  We are using SAP VDS 7.2 SP8. Out of the Box Identity Service is deployed on VDS to expose LDAP Interface. When we connect to VDS LDAP Interface using standard LDAP client, we are not getting the schema information for the user attributes.
  Is any separate configuration needed at VDS level to get the user schema information?
  Any thoughts? Done heaps of googling, but nothing really comes up.
  cheers,
  Henrik

  Hi Henrik,
  I am experiencing the exact same issue.  Under server properties it appears you can select a method to create the rootDSE, there are a few delivered options but none of them appear to work.  I see entries in the operations log but nothing useful.
  VDS does function for authentication and browse but searching always fails.
  The help doc seems to suggest you should write a custom method, it would be great to know if you attempt this or have got any information from SAP that might suggest how to make the delivered classes to work?
  Thanks,
  Pete.

• LDAP schema for addressbook in Lion

  I am starting to setup an OpenLDAP server for the place where I work. So far everything has been good, but I need to add a couple more fields (attributes) than the one provided by the schema inteOrgPerson.
  I can add attributes to my accounts in LDAP all I want, but they do not show up in the addressbooks.
  Is there a schema that I could use to add something like the note field and have that show up in addressbooks connected to my LDAP server? Or even better, is it possible to add a "note" attribute and have that show up in the note field of addressbook?
  If such schema exist, please let me know where can I get it.
  If I am in the wrong forum to ask this question, please let me know where to post this.

  Anyways , I've created an LDIF for Active Directory with theses attributes and class objects.
  Don't really know if this is needed inside AD or not.
  If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
  If anyone got any idea regarding the last questions I posted, please do let me know aswell
  Rp

• How many entries is embedded LDAP of weblogic 8.1 capable to store ? let's assume we use default LDAP schema being defined in schema.core.xml

   

  "ming qin" <[email protected]> wrote in message news:[email protected]..
  I would like to have entries as users.There are a few issues that arise as the number of users increases. The
  first is management
  of all these users. Will you be able to load/update/manage all of the users
  via the WLS console?
  You can certainly use external LDAP tools to manage the data in the WLS
  embedded LDAP
  server, but using an external LDAP server may offer better tools for
  management than those
  offered in WLS.
  The second is performance. Since the ldap server embedded within WLS uses
  in-memory
  indices, the time to load the indices and the memory required for storing
  them increases as
  the number of users increases. 20-50K seems to have reasonable performance.
  The last is extensibility. The WLS default authenticator stores user,
  description, and password.
  You may have different requirements and want to store additional
  information.

• LDAP Schema for AD  ( ADAM )

  Hi everyone.
  I've been reading the official documentation and searching the Web for some info into using an AD ( at this time it is an ADAM but later on will be AD ) user repository with AM 7.
  There is a reference in one of the manuals that says that there is a schema that needs to be added to the default schema of the AD. For the SunDS there is a LDIF file that can be used, but for AD there is none, and the syntax from DS to AD changes a bit.
  Is anyone here that can clarify me on this? It sound logical to me that these new attributes and object classes must be added to the AD schema, but is it so? And if so, does anyone have an LDIF that I can use to update the AD schema, which actually works?
  Thanks so much for all your help
  Rp

  Anyways , I've created an LDIF for Active Directory with theses attributes and class objects.
  Don't really know if this is needed inside AD or not.
  If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
  If anyone got any idea regarding the last questions I posted, please do let me know aswell
  Rp

• Extending LDAP schema

  Dear all,
  I have directory server 2005Q4 configured with idsconfig for naming authentication, i.e. providing replacement for NIS environment.
  The question is what would be the proper procedure to extend the schema (something else?) to provide capabilities for Messaging Server 2005Q4 to use existing DS and existing user profiles?
  Thank you for your help,
  Andrei

  Messaging Server provides it's own script (comms-dssetup ???) that adds the schema required by Messaging Server to DS. To extent the DS schema for
  other applications/users take a look at the DS Admin Guide.
  http://docs.sun.com/source/817-7613/schema.html

• LDAP Authentication - Multiple Domains

  I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
  Host: xx.xx.xx.xx
  DN String: %LDAP_USER%@amer.globalco.net
  (amer.globalco.net is the domain)
  How can this be accomplished? Is it possible all you guru's out there?
  I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
  I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
  Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
  As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
  Please include example/suggested SQL -
  Thanks in advance...
  Rich
  Apex v3.2.1
  Oracle 10G Express

  Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
  Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

• How to add a new schema in active directory by jndi?

  I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?

  You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
  I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
  Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
  I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
  The following snippet illustrates how to extend the schema using JNDI.....
  String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
  LdapContext ctx = new InitialLdapContext(env,null);
  Attributes attr = new BasicAttributes(true);
  attr.put("cn","ms-ShoeSize");
  attr.put("objectClass","attributeSchema");
  attr.put("ldapDisplayName","msShoeSize");
  attr.put("isSingleValued","TRUE");
  attr.put("attributeID","1.2.840.113556.1.4.7000.141");
  attr.put("attributeSyntax","2.5.5.9");
  Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
  Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
  As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: add
  objectClass: attributeSchema
  cn: ms-ShoeSize
  ldapDisplayName: msShoeSize
  attributeID: 1.2.840.113556.1.4.7000.141
  attributeSyntax: 2.5.5.9
  isSingleValued: TRUE
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: modify
  add: mayContain
  mayContain: mSShoeSize
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  -

• RoleMapper with an external LDAP

  Dear friends,
  We use an external LDAP to store information related to users, groups and roles. We have managed to configure an out of box LDAP Authenticator within our realm for authentication. We wanted some guidance on configuring or writing RoleMapper.
  1) What is good practise in terms of storing and managing roles? Is it a common practise to store roles in an external LDAP or do people use Admin console to created roles within the embedded LDAP? The advantage with the Embedded LDAP is definitely that you could use out of the box RoleMapper and the disadvantage is that we could not extend LDAP schema to store hierarchical roles.
  2) If we store and manage roles in an external LDAP store, the same one where we store users and groups, could we still use the out of the box role mapper? If not, could someone provide a sample role mapper that uses an external LDAP store.
  3) Why WebLogic doesn't provide an out of the box Role Mapper that connects to an external LDAP?

  All Users Filter: (&(&(uid=*)(objectclass=person))(!(quitdate=*)))
  User From Name Filter: (&(&(uid=%u)(objectclass=person))(!(quitdate=*)))
  User Name Attribute: uid
  Here you're configuring that uid is the key of your users in OID. And in your case user A and B has the same uid, so the webcenter can login using user B, but when realize a search uid=jack ldap returns the first one.
  Make any sense for you?
  Hope that I help you

• Connect Win Server 2008 R2 AD to linux ldap server

  I have the need to do the opposite of what I am finding most users doing. Instead of connecting a remote linux ldap client to a windows server 2008 Active Directory server I need to connect my windows server AD to my linux ldap server. Once this connection
  has been established I need for a user to be able to log in to the windows server and have their home directory on the linux box be mounted and available for the user to access their home directory and files.
  I have also heard there might need to be some changes done on the ldap schema on the linux server to satisfy the windows AD. Is this true?
  Does anyone have any information on how to configure the windows server (2008 R2) to do this? I am under the gun, time-wise, to get this implemented and working correctly. Any help would be GREATLY appreciated.

  Hello,
  please ask in your Linux LDAP forums to get these details.
  If you have an AD question then please ask it here.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student
  Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer