A.4. Specifying Directory Entries Using LDIF
Many types of entries can be stored in the directory. This section concentrates on three of the most common types of entries used in a directory: domain, organizational unit, and organizational person entries.
The object classes defined for an entry are what indicate whether the entry represents a domain or domain component, an organizational unit, an organizational person, or some other type of entry.
Directories often have at least one domain entry. Typically this is the first, or topmost, entry in the directory. The domain entry often corresponds to the DNS host and domain name for your directory. For example, if the Directory Server host is called ldap.example.com, then the domain entry for the directory is probably named dc=ldap,dc=example,dc=com or simply dc=example,dc=com.
The LDIF entry used to define a domain appears as follows:
dn:distinguished_nameobjectClass: top objectClass: domain dc:domain_component_namelist_of_optional_attributes...
The following is a sample domain entry in LDIF format:
dn: dc=example,dc=com objectclass: top objectclass: domain dc: example description: Fictional example company
Each element of the LDIF-formatted domain entry is defined in Table A.2, “LDIF Elements in Domain Entries”.
| LDIF Element | Description |
|---|---|
| dn: distinguished_name | Required. Specifies the distinguished name for the entry. |
| objectClass: top |
Required. Specifies the top object class.
|
| objectClass: domain |
Specifies the domain object class. This line defines the entry as a domain or domain component.
|
| dc: domain_component |
Attribute that specifies the domain's name. The server is typically configured during the initial setup to have a suffix or naming context in the form dc=hostname,dc=domain,dc=toplevel. For example, dc=ldap,dc=example,dc=com. The domain entry should use the leftmost dc value, such as dc: ldap. If the suffix were dc=example,dc=com, the dc value is dc: example. Do not create the entry for dn: dc=com unless the server has been configured to use that suffix.
|
| list_of_attributes | Specifies the list of optional attributes to maintain for the entry. |
Organizational unit entries are often used to represent major branch points, or subdirectories, in the directory tree. They correspond to major, reasonably static entities within the enterprise, such as a subtree that contains people or a subtree that contains groups.
The organizational unit attribute that is contained in the entry may also represent a major organization within the company, such as marketing or engineering. However, this style is discouraged. Red Hat strongly encourages using a flat directory tree.
There is usually more than one organizational unit, or branch point, within a directory tree.
The LDIF that defines an organizational unit entry must appear as follows:
dn:distinguished_nameobjectClass: top objectClass: organizationalUnit ou:organizational_unit_namelist_of_optional_attributes...
The following is a sample organizational unit entry in LDIF format:
dn: ou=people, dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: people description: Fictional example organizational unit
Table A.3, “LDIF Elements in Organizational Unit Entries” defines each element of the LDIF-formatted organizational unit entry.
| LDIF Element | Description |
|---|---|
| dn: distinguished_name |
Specifies the distinguished name for the entry. A DN is required. If there is a comma in the DN, the comma must be escaped with a backslash (\), such as dn: ou=people,dc=example,dc=com.
|
| objectClass: top |
Required. Specifies the top object class.
|
| objectClass: organizationalUnit |
Specifies the organizationalUnit object class. This line defines the entry as an organizational unit.
|
| ou: organizational_unit_name | Attribute that specifies the organizational unit's name. |
| list_of_attributes | Specifies the list of optional attributes to maintain for the entry. |
The majority of the entries in the directory represent organizational people.
In LDIF, the definition of an organizational person is as follows:
dn:distinguished_nameobjectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn:common_namesn:surnamelist_of_optional_attributes
The following is an example organizational person entry in LDIF format:
dn: uid=bjensen,ou=people,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Babs Jensen
sn: Jensen
givenname: Babs
uid: bjensen
ou: people
description: Fictional example person
telephonenumber: 555-5557
userpassword: {SSHA}dkfljlk34r2kljdsfk9
Table A.4, “LDIF Elements in Person Entries” defines each aspect of the LDIF person entry.
| LDIF Element | Description |
|---|---|
| dn: distinguished_name |
Required. Specifies the distinguished name for the entry. For example, dn: uid=bjensen,ou=people,dc=example,dc=com. If there is a comma in the DN, the comma must be escaped with a backslash (\).
|
| objectClass: top |
Required. Specifies the top object class.
|
| objectClass: person |
Specifies the person object class. This object class specification should be included because many LDAP clients require it during search operations for a person or an organizational person.
|
| objectClass: organizationalPerson |
Specifies the organizationalPerson object class. This object class specification should be included because some LDAP clients require it during search operations for an organizational person.
|
| objectClass: inetOrgPerson |
Specifies the inetOrgPerson object class. The inetOrgPerson object class is recommended for the creation of an organizational person entry because this object class includes the widest range of attributes. The uid attribute is required by this object class, and entries that contain this object class are named based on the value of the uid attribute.
|
| cn: common_name |
Specifies the person's common name, which is the full name commonly used by the person. For example, cn: Bill Anderson. At least one common name is required.
|
| sn: surname |
Specifies the person's surname, or last name. For example, sn: Anderson. A surname is required.
|
| list_of_attributes | Specifies the list of optional attributes to maintain for the entry. |