10.5. Managing Schema Using ldapmodify

As with the Directory Server Console, ldapmodify can be used to add, edit, and delete custom schema elements. ldapmodify also modifies the default custom schema file for a Directory Server instance, 99user.ldif.

10.5.1. Creating Attributes

A custom attribute entry is itself an attributetypes entry for the cn=schema entry. The attributetypes attribute has the format:
attributetypes: ( definition )
The definition contains five components:
  • An OID, usually a dot-separated number
  • A unique name, in the form NAME name
  • A description, in the form DESC description
  • The OID for the syntax of the attribute values, listed in Table 10.1, “LDAP Attribute Syntax”, in the form SYNTAX OID
  • Optionally, the source where the attribute is defined
The attribute definition is added to the custom schema file, 99user.ldif, by by running an LDAP command and modifying the cn=schema entry. For example:
/usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com -v

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.2.3.4.5.6.1 NAME 'dateofbirth' DESC 'For employee birthdays' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUED X-ORIGIN 'Example defined')

10.5.2. Creating Object Classes

An object class definition is an objectclasses attribute for the cn=schema entry. The objectclasses attribute has the format:
objectclasses: ( definition )
The object class definition contains several components:
  • An OID, usually a dot-separated number
  • A unique name, in the form NAME name
  • A description, in the form DESC description
  • The superior, or parent, object class for this object class, in the form SUP object_class; if there is no related parent, use SUP top
  • The word AUXILIARY, which gives the type of entry to which the object class applies; AUXILIARY means it can apply to any entry
  • A list of required attributes, preceded by the word MUST; to include multiple attributes, enclose the group in parentheses and separate with attributes with dollar signs ($)
  • A list of allowed attributes, preceded by the word MAY; to include multiple attributes, enclose the group in parentheses and separate with attributes with dollar signs ($)
The object class definition is added to the custom schema file, 99user.ldif, by by running an LDAP command and modifying the cn=schema entry. For example:
/usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com -v

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 2.16.840.1133730.2.123 NAME 'examplePerson' DESC 'Example Person Object Class' SUP inetOrgPerson AUXILIARY  MUST cn MAY (exampleDateOfBirth $ examplePreferredOS) )

10.5.3. Deleting Schema

WARNING

Never delete default schema elements. Those are required by the Directory Server to run.
  1. Remove the unwanted attributes from any entries which use them, then from any object classes in the schema file which accept that attribute. Likewise, to remove an object class, remove it from any entries.
  2. Run ldapmodify to remove the attribute. For example:
    /usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
    
    dn: cn=schema 
    changetype: modify 
    delete: objectclasses
    objectclasses: ( 2.16.840.1133730.2.123 NAME 'examplePerson' DESC 'Example Person Object Class' SUP inetOrgPerson AUXILIARY MUST cn MAY (exampleDateOfBirth $ examplePreferredOS) )

    CAUTION

    Be sure to specify the exact object class or attribute to remove; using only the attributetypes or objectclasses attribute without the value will delete every user-defined attribute or object class in the file.
If the custom attribute or object class is in a custom schema file other than 99user.ldif, edit the file directly. Neither the Directory Server Console nor LDAP tools can edit a schema file other than 99user.ldif.