LDAP: LDIF & DSML

Fall 2004Rev. 2

LDIF

• Light-weight Data Interchange Format

• RFC 2849

• Common format to exchange data• entry

• schema

LDIF Limitations

• Limited to printable text

• Binary values MUST be Base64 encoded

• Too closely tied to LDAP

• Either new records or changes (not both)

LDIF Benefits

• Manipulate directory information in a text file

• Easily change data sets (mass changing of object attributes)

• Very simple to learn

LDIF Format

<attribute type name> : <value of attribute>

LDIF Format

<attribute type name> : <value of attribute>

This value is the attribute name in the directory. Examples would bedn, objectClass, phone, sn

LDIF Format<attribute type name> : <value of attribute>

This value is the actual value of the attribute. This should be a text stringwith a few exceptions. Those exceptions usually require the value to beBase64 encoded. The exceptions are NULL, LF, CR, :, <

Example of Base64:

<xml></xml>

would need to be base64 encoded

the base64 encoded value would be:

PHhtbD48L3htbD4=

LDIF Operations• changetype:

• modify

• modrdn

• add

• delete

• add

• delete

• replace

Example

version: 1# Add a new entrydn: cn=Fiona Jensen, ou=Marketing, dc=airius, dc=comchangetype: addobjectclass: topobjectclass: personobjectclass: organizationalPersoncn: Fiona Jensensn: Jensenuid: fionatelephonenumber: +1 408 555 1212jpegphoto:< file:///usr/local/directory/photos/fiona.jpg

# Delete an existing entrydn: cn=Robert Jensen, ou=Marketing, dc=airius, dc=comchangetype: delete

# Modify an entry's relative distinguished namedn: cn=Paul Jensen, ou=Product Development, dc=airius, dc=comchangetype: modrdnnewrdn: cn=Paula Jensendeleteoldrdn: 1

# Modify an entry: add an additional value to the postaladdress# attribute, completely delete the description attribute, replace# the telephonenumber attribute with two values, and delete a specific# value from the facsimiletelephonenumber attributedn: cn=Paula Jensen, ou=Product Development, dc=airius, dc=comchangetype: modifyadd: postaladdresspostaladdress: 123 Anystreet $ Sunnyvale, CA $ 94086-

delete: description-replace: telephonenumbertelephonenumber: +1 408 555 1234telephonenumber: +1 408 555 5678-delete: facsimiletelephonenumberfacsimiletelephonenumber: +1 408 555 9876-

# Modify an entry: replace the postaladdress attribute with an empty# set of values (which will cause the attribute to be removed), and# delete the entire description attribute. Note that the first will# always succeed, while the second will only succeed if at least# one value for the description attribute is present.dn: cn=Ingrid Jensen, ou=Product Support, dc=airius, dc=comchangetype: modifyreplace: postaladdress-delete: description-

LDIF Entry Exampleversion: 1

## Extend user objects#

dn: cn=testuser,ou=utah,o=applechangetype: modifyadd: objectClassobjectClass: posixAccountuidNumber: 1010gidNumber: 20homeDirectory: /Network/Servers/engserver2.apple.com/ENG2.DATA/USERS/testuser-add: objectClassobjectClass: apple-userapple-user-homeurl:: PGhvbWVfZGlyPjx1cmw+YWZwOi8vYmlncmVkLmV4YW1wbGUubmV0L0VORzIuREFUQTwvdXJsPjxwYXRoPlVTRVJTL3Rlc3R1c2VyPC9wYXRoPjwvaG9tZV9kaXI+

# apple-user-homeurl:: <home_dir><url>afp://bigred.example.net/ENG2.DATA</url><path>USERS/testuser</path></home_dir>

LDIF Schema Representation

• Similar to the schema files we have made

• “dn” is cn=schema

• Add or delete object classes or attributes

LDIF Schema Exampledn: cn=schemachangetype: modifyadd: attributeTypesattributeTypes: ( 1.3.6.1.4.1.63.1000.1.1.1.1.15 NAME 'apple-user-authenticationhint' DESC 'password hint' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

## User auxiliary object class.#

dn: cn=schemachangetype: modifyadd: objectclassesobjectclasses: ( 1.3.6.1.4.1.63.1000.1.1.2.1 NAME 'apple-user' SUP top AUXILIARY DESC 'user account' MAY ( apple-user-homeurl $ apple-user-class $ apple-user-homequota $ apple-user-mailattribute $ apple-user-printattribute $ apple-mcxflags $ apple-mcxsettings $ apple-user-adminlimits $ apple-user-picture $ apple-user-authenticationhint ) )

DSML

• Dan Sinema

• CNS 4650

Why XML?

• Common representation of data

• Easy to transfer of data

• Easy to manipulate data

DSML v1

• Represent directory entries

• Represent schema

• Defined in dsml.dtd, dsml.xdr, dsml.xsd

• Namespace• http://dsml.org/DSML

DSML Document Types• Type 1

• contains only directory entries

• does not reference schema

• Type 2• contains only directory entries

• references schema in external doc

• Type 3• contains only directory schema

• Type 4• contains directory entries and schema

DSML Document Format

<dsml:dsml xmlns:dsml=”http://www.dsml.org/DSML>

</dsml:dsml>

...

This may also contain a XML attribute named “complete”

The value can either be “true” or “false”

true - if the document contains all the schema for the entries in the document

false - the schema is referenced in an other document

DSML Entries Elements

<dsml:directory-entries>

</dsml:directory-entries>

<dsml:objectclass>

</dsml:objectclass>

<dsml:oc-value> </dsml:oc-value>

<dsml:entry dn=”Distinguished Name”>

<dsml:entry>

Object Classes

This may also contain a XML attribute named “ref”, this points to thedefinition of the objectclass

DSML Entries Example

<dsml:directory-entries>

</dsml:directory-entries>

<dsml:objectclass>

</dsml:objectclass>

<dsml:oc-value>person</dsml:oc-value>

<dsml:entry dn=”cn=dsinema, ou=dev, o=company”>

<dsml:entry>

<dsml:dsml xmlns:dsml=”http://www.dsml.org/DSML>

</dsml:dsml>

<dsml:oc-value>top</dsml:oc-value>

<dsml:oc-value>organizationalPerson</dsml:oc-value>

Object Classes

DSML Entries Example

<dsml:directory-entries>

</dsml:directory-entries>

<dsml:objectclass>

</dsml:objectclass>

<dsml:oc-value>person</dsml:oc-value>

<dsml:entry dn=”cn=dsinema, ou=dev, o=company”>

<dsml:entry>

<dsml:dsml xmlns:dsml=”http://www.dsml.org/DSML>

</dsml:dsml>

<dsml:oc-value>top</dsml:oc-value>

<dsml:oc-value>organizationalPerson</dsml:oc-value>

Object Classes

DSML Entries Elements

<dsml:directory-entries>

</dsml:directory-entries>

<dsml:attr name=”Attribute Name”>

</dsml:attr>

<dsml:value> </dsml:value>

<dsml:entry dn=”Distinguished Name”>

<dsml:entry>

Attributes

This may also contain a XML attribute named “ref”, this points to thedefinition of the objectclass

DSML Entries Example

<dsml:directory-entries>

</dsml:directory-entries>

<dsml:attr name=”email”>

</dsml:attr>

<dsml:value>dsinema@company.com</dsml:value>

<dsml:entry dn=”cn=dsinema, ou=dev, o=company”>

<dsml:entry>

<dsml:dsml xmlns:dsml=”http://www.dsml.org/DSML>

</dsml:dsml>

<dsml:value>dan@company.com</dsml:value>

Attributes

DSML Entries Example

<dsml:attr name=”certifcate”>

</dsml:attr>

<dsml:value encoding=”base64”>XZKiASLiWNDAL92jJ=

</dsml:value>

Binary values must still be encoded. At this point still in Base64, thislimitation is because of LDAP. NOTE: that values in LDIF that werenot binary that had to be base64 encoded DO NOT need to beencoded (example is a string starting with a : or <)

Attributes

DSML Entries Elements

<dsml:directory-schema><dsml:class id=”Class Name”>

</dsml:class><dsml:attribute-type>

</dsml:attribute-type></dsml:directory-schema>

Schema

DSML Entries Elements

<dsml:directory-schema><dsml:class id=”Class Name” superior=” ”

type=” ”> <dsml:name></dsml:name> <dsml:description></dsml:description> <dsml:object-indentifier></dsml:object-

indentifier> <dsml:attribute ref=”” required=””>

</dsml:attribute></dsml:class>

</dsml:directory-schema>

Schema - ObjectClass

<dsml:class> can have one more attribute “obsolete” the value iseither true or false the default is false

DSML Entries Elements

<dsml:directory-schema><dsml:attribute id=”Attr Name”> <dsml:name></dsml:name> <dsml:description></dsml:description> <dsml:object-indentifier></dsml:object-

indentifier> <dsml:syntax> </dsml:syntax> <dsml:equality> </dsml:equality></dsml:attribute>

</dsml:directory-schema>

Schema - Attributes

<dsml:class> can have a couple more attributes “obsolete”, “single-value”,“user-modification”

Schema Example

Attribute

ObjectClass( 1.3.6.1.4.1.17946.1.2.1 NAME 'cartoon-character' SUP top STRUCTURAL

DESC 'Cartoon character and all his/her attributes' MUST ( cartoon-catchPhrase $ cartoon-homeNetwork ) MAY ( cartoon-biography ) )

( 1.3.6.1.4.1.17946.1.1.1 NAME 'cartoon-catchPhrase' DESC 'Each cartooncharacter MUST have a catch phrase, an example would be D'oh' EQUALITY

caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

( 1.3.6.1.4.1.17946.1.1.2 NAME 'cartoon-homeNetwork' DESC 'Each cartooncharacter must have a home network, and example would be Fox Channel,Disney Channel' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

( 1.3.6.1.4.1.17946.1.1.3 NAME 'cartoon-biography' DESC 'This is a URL thatshould point to a web page that contains this characters biography' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

<dsml:directory-schema><dsml:class id="cartoon-character" superior="top" type="structural"> <dsml:name>cartoon-character</dsml:name> <dsml:description>Cartoon character and all his/her attributes</dsml:description> <dsml:object-identifier>1.3.6.1.4.1.17946.1.2.1</dsml:object-identifier> <dsml:attribute ref="cartoon-catchPhrase" required="true"></dsml:attribute> <dsml:attribute ref="cartoon-homeNetwork" required="true"></dsml:attribute> <dsml:attribute ref="cartoon-biography" required="false"></dsml:attribute></dsml:class><dsml:attribute-type id="cartoon-catchPhrase"> <dsml:name>cartoon-catchPhrase</dsml:name> <dsml:description>Each cartoon character MUST have a catch phrase, an example would be

D'oh</dsml:description> <dsml:object-identifier>1.3.6.1.4.1.17946.1.1.1</dsml:object-identifier> <dsml:syntax>1.3.6.1.4.1.1466.115.121.1.15</dsml:syntax> <dsml:equality>2.5.13.2</dsml:equality></dsml:attribute-type><dsml:attribute-type id="cartoon-homeNetwork" single-value="true"> <dsml:name>cartoon-homeNetwork</dsml:name> <dsml:description>Each cartoon character must have a home network example Fox

Channel</dsml:description> <dsml:object-identifier>1.3.6.1.4.1.17946.1.1.2</dsml:object-identifier> <dsml:syntax>1.3.6.1.4.1.1466.115.121.1.15</dsml:syntax> <dsml:equality>2.5.13.2</dsml:equality></dsml:attribute-type><dsml:attribute-type id="cartoon-biography"> <dsml:name>cartoon-biography</dsml:name> <dsml:description>This is a URL</dsml:description> <dsml:object-identifier>1.3.6.1.4.1.17946.1.1.2</dsml:object-identifier> <dsml:syntax>1.3.6.1.4.1.1466.115.121.1.15</dsml:syntax> <dsml:equality>2.5.13.2</dsml:equality></dsml:attribute-type>

<dsml:directory-schema>

DSML Schema