1. Introduction

The Oak LDAP uses standard, widely-used LDAP schemas in conjunction with some Oxford-specific extensions. This document describes the attributes and object classes we are using, and states where in the directory information tree each type of entry is to be found. It also states the per-attribute release policy. Example values of most attributes are given, for illustration.

This document is intended as a reference. For examples of which parts of the schema to use to solve common problems, please see the Recommended Usage section of the main Oak LDAP document.

The most important types of entries are
  • person entries
  • kerberos principal entries
  • organisational unit (colleges, departments, and so on) entries
  • general group entries

1.1. Definition of schema terms

DN
This stands for "Distinguished Name". This is an LDAP (and X.500) term, and is a name for an entry that uniquely identifies it within the directory information tree. The DN of the root of the Oak LDAP tree is dc=oak,dc=ox,dc=ac,dc=uk.
DN reference
Many of the entries in the Oak LDAP tree are related to each other. For example, principals are owned by people, and people are in groups. A common element of the Oak schema design is that relationships between entries are expressed by having some attribute on one entry whose value is the DN of the other entry. This is referred to as a "DN reference" in the schema documentation.

1.2. Definition of release policy terms

Where applicable, this document also states attributes' release policies. These use the following terms:
all service providers
This means all service providers who have registered to become Oak data consumers (registering to become an Oak data consumer is different from the process of requesting creation of webauth principals).
associated service providers
A service provider is associated with a person if either of the following two conditions is met:
  • the service provider is registered as providing a service to a unit of which the person is a member
  • the service provider is registered as a university-wide provider

A service provider is associated with a unit if it's registered as providing a service to that unit, or it's registered as a university-wide provider.

everyone
"Everyone" means every authenticated principal. Anonymous ldap binds will not be possible.
compare access
This means that the LDAP client is allowed to ask whether a particular attribute on a particular entry has a specific value, which the LDAP client must supply in the query. The LDAP client receives a yes / no answer.
search access
With search access to an attribute, the LDAP client is able to perform an LDAP search where the search filter involves that attribute. If a client has search access to an attribute, they also implicitly have compare access.
read access
This simply means that the LDAP client can read the value of the attribute. Read access also implies search and compare access.

1.3. See Also

  • LDAP schema file for locally-defined schema elements, in OpenLDAP-compatible format.

Up: Contents Next: 2. Person Entries at oakPrimaryPersonID=id,ou=people,dc=oak,dc=ox,dc=ac,dc=uk