This section will cover the highlights of creating initial DIT content while under the control of easily-understood DIT structure rules enforcing the use of common attribute types within entry RDNs.
The following basic assumptions apply:
-
A new
userRootbackend exists and is identified by thebase-dnofdc=example,dc=com, containing no entries whatsoever, and ... -
The eight (8) definitions described have already been saved to
/opt/opendj/config/schema/99-user.ldifor a similar file, or otherwise added via ldapmodify
To begin, let's take a look at the following nameForms
definitions:
#
nameForms: ( 1.3.6.1.4.1.56521.999.2.7.1
NAME 'rootSuffixForm'
OC domain
MUST dc )
#
nameForms: ( 1.3.6.1.4.1.56521.999.2.7.2
NAME 'ouForm'
OC organizationalUnit
MUST ou )
#
nameForms: ( 1.3.6.1.4.1.56521.999.2.7.3
NAME 'accountForm'
OC inetOrgPerson
MUST uid )
#
nameForms: ( 1.3.6.1.4.1.56521.999.2.7.4
NAME 'groupForm'
OC groupOfNames
MUST cn )These name forms declare the following mandates:
- Entries bearing the
domainSTRUCTURAL class, MUST utilizedcfor their respective RDNs - Entries bearing the
organizationalUnitSTRUCTURAL class, MUST utilizeoufor their respective RDNs - Entries bearing the
inetOrgPersonSTRUCTURAL class, MUST utilizeuidfor their respective RDNs - Entries bearing the
groupOfNamesSTRUCTURAL class, MUST utilizecnfor their respective RDNs
Next, we'll take a look at the new dITStructureRules instances,
which will bring the above name forms to life:
#
dITStructureRules: ( 20
NAME 'rootSuffixStructure'
FORM rootSuffixForm )
#
dITStructureRules: ( 21
NAME 'ouStructure'
FORM ouForm
SUP ( 20 21 ) )
#
dITStructureRules: ( 22
NAME 'accountStructure'
FORM accountForm
SUP 21 )
#
dITStructureRules: ( 23
NAME 'groupStructure'
FORM groupForm
SUP 21 )From these rules, one can begin to perceive an abstract DIT structure, defined by the incrementing -- and hierarchically-significant -- integer identifiers, each of which reflect the following respective conditions:
-
Given the absence of other entries, the introduction of an entry bearing the
domainSTRUCTURAL class anddcRDN attribute signifies the start of the administrative area, or the start of the "chain of enforced rules"When added, this entry SHOULD bear a
governingStructureRuleinteger identifier of 20 -
Given the introduction of an entry, positioned directly subordinate to the root suffix and bearing the
organizationalUnitSTRUCTURAL class andouRDN attribute, the entry is acceptedWhen added, this entry SHOULD bear a
governingStructureRuleinteger identifier of 21, the subordinate structure rule of its superior structure rule, 20 -
Given the introduction of any additional
organizationalUnitentries, whether descending directly from the root suffix, OR if subordinate to otherorganizationalUnitentries in "nested" fashion, the entry is accepted by rite of structure rule recursionWhen added, this entry SHOULD also bear a
governingStructureRuleinteger identifier of 21, as with the previous case -
Given the introduction of an entry, positioned directly subordinate to any
organizationalUnitentry presently governed by DIT structure rule 21 and bearing theinetOrgPersonSTRUCTURAL class anduidRDN attribute, the entry is acceptedWhen added, this entry SHOULD bear a
governingStructureRuleinteger identifier of 22 -
Given the introduction of an entry, positioned directly subordinate to any
organizationalUnitentry presently governed by DIT structure rule 21 and bearing thegroupOfNamesSTRUCTURAL class andcnRDN attribute, the entry is acceptedWhen added, this entry SHOULD bear a
governingStructureRuleinteger identifier of 23
Next, we'll be creating the initial portions of the governed DIT using ldapmodify, and periodically checking the results with ldapsearch along the way.
![[Note]](common/images/admon/note.png) |
Note |
|---|---|
In cases where changes are made in this section, the root DN user (cn=Directory Manager)
is purposely used. This is simply to demonstrate that no user, regardless of privilege, can "bypass" or
otherwise violate DIT structure rules in force.
|
$ ldapmodify -w password \
-D "cn=Directory Manager" \
-h opendj.example.com
dn: dc=example,dc=com
changetype: add
objectClass: domain
Processing ADD request for dc=example,dc=com
ADD operation successful for DN dc=example,dc=com
dn: ou=Accounts,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
Processing ADD request for ou=Accounts,dc=example,dc=com
ADD operation successful for DN ou=Accounts,dc=example,dc=com
dn: ou=Consultants,ou=Accounts,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
Processing ADD request for ou=Consultants,dc=example,dc=com
ADD operation successful for DN ou=Consultants,dc=example,dc=comSo far, so good. What we've just done is create the initial structure of our DIT, and in doing so we've confirmed the DIT structure rules do not seem to be interfering.
But, let's stop for now and check our work. We want to see the DIT structure rules that are actively governing our entries. To do this, we need only perform a simple anonymous LDAP search:
$ ldapsearch -h opendj.example.com \
-b dc=example,dc=com \
"(objectClass=*)" \
governingStructureRule
dn: dc=example,dc=com
governingStructureRule: 20
dn: ou=Accounts,dc=example,dc=com
governingStructureRule: 21
dn: ou=Consultants,ou=Accounts,dc=example,dc=com
governingStructureRule: 21This proves the following:
- Rule 20, the
rootSuffixStructuredefinition, represents the start of the structure chain - Rule 21, the
ouStructuredefinition, represents the permitted subordinate naming context below entries governed by therootSuffixStructurerule - Rule 21, as it supports recursion by nature, allows
organizationalUnitentries to reside withinorganizationalUnitentries, thus allowing categorical organizational structures to exist
Let's see what happens when we attempt to add an entry bearing an unauthorized RDN syntax.
$ ldapmodify -w password \
-D "cn=Directory Manager"\
-h opendj.example.com
dn: mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com
changetype: add
objectClass: inetOrgPerson
cn: User Person
sn: Person
Processing ADD request for
mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com
The LDAP modify request failed: 65 (Object Class Violation)
Additional Information: Entry
mail=user@example.com,ou=Consultants,ou=Accounts,dc=example,dc=com violates
the Directory Server schema configuration because its RDN does not contain
attribute uid that is required by name form accountFormGood, the DIT structure rule in question seems to work in preventing bogus RDNs. Now let's continue with entries that are expected to work.
$ ldapmodify -w password \
-D "cn=Directory Manager" \
-h opendj.example.com
dn: uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
changetype: add
objectClass: inetOrgPerson
sn: Person
cn: User Person
Processing ADD request for uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
ADD operation successful for DN uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
Processing ADD request for ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Groups,dc=example,dc=com
dn: ou=Corporate,ou=Groups,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
Processing ADD request for ou=Corporate,ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Corporate,ou=Groups,dc=example,dc=com
dn: ou=Infrastructure,ou=Groups,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
Processing ADD request for ou=Infrastructure,ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Infrastructure,ou=Groups,dc=example,dc=com
dn: cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
changetype: add
objectClass: groupOfNames
Processing ADD request for cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=comAgain, let's check our work (omitting the contents of the previous LDAP search):
$ ldapsearch -h opendj.example.com \
-b dc=example,dc=com \
"(objectClass=*)" \
governingStructureRule
dn: uid=userPerson,ou=Consultants,ou=Accounts,dc=example,dc=com
governingStructureRule: 22
dn: ou=Groups,dc=example,dc=com
governingStructureRule: 21
dn: ou=Corporate,ou=Groups,dc=example,dc=com
governingStructureRule: 21
dn: ou=Infrastructure,ou=Groups,dc=example,dc=com
governingStructureRule: 21
dn: cn=Abuse Mail,ou=Infrastructure,ou=Groups,dc=example,dc=com
governingStructureRule: 23So, what did we learn?
ouStructurerule 21 continues to allow recursiveorganizationalUnitentries, so long as they ultimately extend from therootSuffixStructuresuperior structure (ancestor) rule 20, or another such entry governed by rule 21accountStructurerule 22 is correctly governing entries bearing theinetOrgPersonSTRUCTURAL class found within anorganizationalUnitentry (superior structure rule 21)groupStructurerule 23 is correctly governing entries bearing thegroupOfNamesSTRUCTURAL class found within anorganizationalUnitentry (superior structure rule 21)
DIT structure rules are extremely powerful. When properly planned and implemented, they can greatly aid in the formation of clean and orderly directory structures without the need for additional ACIs.
