The Oak LDAP uses standard, widely-used LDAP schemas in conjunction with some Oxford-specific extensions. This document describes the attributes and object classes we are using, and states where in the directory information tree each type of entry is to be found. It also states the per-attribute release policy. Example values of most attributes are given, for illustration.
This document is intended as a reference. For examples of which parts of the schema to use to solve common problems, please see the Recommended Usage section of the main Oak LDAP document.
- This stands for "Distinguished Name". This
is an LDAP (and X.500) term, and is a name for an entry that uniquely
identifies it within the directory information tree. The DN of
the root of the Oak LDAP tree is
- DN reference
- Many of the entries in the Oak LDAP tree are related to each other. For example, principals are owned by people, and people are in groups. A common element of the Oak schema design is that relationships between entries are expressed by having some attribute on one entry whose value is the DN of the other entry. This is referred to as a "DN reference" in the schema documentation.
- all service providers
- This means all service providers who have registered to become Oak data consumers (registering to become an Oak data consumer is different from the process of requesting creation of webauth principals).
- associated service providers
- A service provider is associated with a person if either of the following two conditions is met:
- "Everyone" means every authenticated principal. Anonymous ldap binds will not be possible.
- compare access
- This means that the LDAP client is allowed to ask whether a particular attribute on a particular entry has a specific value, which the LDAP client must supply in the query. The LDAP client receives a yes / no answer.
- search access
- With search access to an attribute, the LDAP client is able to perform an LDAP search where the search filter involves that attribute. If a client has search access to an attribute, they also implicitly have compare access.
- read access
- This simply means that the LDAP client can read the value of the attribute. Read access also implies search and compare access.
- LDAP schema file for locally-defined schema elements, in OpenLDAP-compatible format.
- 2. Person Entries at oakPrimaryPersonID=id,ou=people,dc=oak,dc=ox,dc=ac,dc=uk
- 3. Unit Entries at oakUnitCode=code,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
- 4. Principal Entries at krbPrincipalName=princname,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk
- 5. Group Entries
- 6. Group Entry at oakGN=ITSS,ou=oucscentral,dc=oak,dc=ox,dc=ac,dc=uk
- 7. Group Entry at oakGN=Primary ITSS,ou=oucscentral,dc=oak,dc=ox,dc=ac,dc=uk
- 8. Change Log