Red Hat Enterprise Linux 5 Administration Unleashed

268CHAPTER 12Identity ManagementAdding LDAP EntriesEach item in the directory is called an entry, and each entry is composed of attributes suchas a name and location. Attributes can be required or optional. An LDAP entry is identifiedby its Distinguished Name (DN), which must be unique for each entry.Entries added to the directory must follow a schema, which defines available attributetypes. Some schema files are included with OpenLDAP in the /etc/openldap/schema/directory. To use the attribute types in one of the schemas, the slapd.conf file must referencethem such as the following:include/etc/openldap/schema/core.schemaThe core, cosine, inetorgperson, and nis schemas are referenced in the defaultslapd.conf file so that the entry types, called object classes, in these files can be used. Addinclude lines to reference additional schema files if necessary for your directory configuration.Additional packages can add includes to slapd.conf as well. For example, thebind-sdb package adds an include for the dnszone.schema file.TIPThe software packages for some services such as Samba include LDAP schema filesso that the OpenLDAP can be set up to share its configuration files. Execute rpm -ql on the name of the RPM package for the services you use to determineif they provide a schema file.The included schemas can be extended or new schemas can be created, depending on whattype of data you are storing in your LDAP directory. To extend or create a new schema,create a new schema file in the /etc/openldap/schema/ directory with the same file permissionsas the existing schema files. Refer to http://www.openldap.org/doc/admin23/schema.html for details on writing a custom schema file. The existing files provided withOpenLDAP should not be modified. Be sure to reference the new file in /etc/openldap/slapd.conf file with an include line as previously mentioned.To read the schema files, consider this basic example. Listing 12.3 includes excerpts fromcore.schema and inetorgperson.schema. In core.schema, the object class (this is theentry type) of person is defined as a subclass of the top object class as shown by the linestarting with the keyword SUP. Then, in inetorgperson.schema, the object classinetOrgPerson is defined as a subclass of person, inheriting the attributes list from itsparent object class person.LISTING 12.3Object Class Definitionsobjectclass ( 2.5.6.6 NAME ‘person’DESC ‘RFC2256: a person’SUP top STRUCTURALMUST ( sn $ cn )MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )