Appendix E: LDAP - Object Classes and Attributes

There are bucket loads of off-the-shelf attributes and objectclasses some are standardized, some from the kindness of heart of the author(s). Many are packaged into Schemas distributed with OpenLDAP. Some of the most common are defined below. This list is not exhaustive. Where possible it is always sensible to use a pre-existing attribute and objectclass but you can build your own - if your heart will stand the strain of ASN.1.

Find the attribute you want then check with its objectclass to see what other 'stuff' it picks up. The objectclass hierarchy is shown by the notation [->objectclassname] under Name (and is mostly hyperlinked in the schema definitions). So if you use, say, the objectclass of residentialPerson which has a parent of person then the MUST attributes are the sum of (inherits from in the jargon) both objectclasses which is this case means cn, sn and l are MUST attributes.

Notes: Attribute names are case insensitive but you will see them mostly written in that Camel Case notation which puts capitals in (mostly) inconsistent places!

Commonly used attributes
Object Classes
config.ldif - used by OpenLDAP OLC (cn=config) feature - browsable
corba.schema - OpenLDAP distribution - browsable
core.schema - OpenLDAP distribution - browsable
cosine.schema - OpenLDAP distribution - browsable
dyngroup.schema - used by Dynamic Group feature - browsable
inetorgperson.schema - OpenLDAP distribution - browsable
java.schema - OpenLDAP distribution - not browsable
misc.schema - OpenLDAP distribution - not browsable
nis.schema - OpenLDAP distribution - browsable
openldap.schema - distribution schema - not browsable
qmail.schema - Qmail distribution - browsable
samba3.schema - (edited) OpenLDAP distribution - browsable
authldap.schema (courier-imap) - Courier distribution - browsable
ppolicy.schema - used by OpenLDAP ppolicy overlay - not browsable

Commonly Used Attributes

This not an exhaustive list but defines some common attributes and cross links them to some of the objectclasses in which they are used. Clicking the schema link will take you to the attribute definition, clicking the objectClass link will show its usage in that object.

Name	Alias	objectClass	Notes	Schema
c	countryName	country	2 character country code defined in ISO 3166	core.schema
cn	commonName	person organizationalPerson organizationalRole groupOfNames applicationProcess applicationEntity posixAccount device		core.schema
dc	domainComponent	dcObject	any part of a domain name e.g. domain.com, domain or com	core.schema
-	facsimileTelephoneNumber	residentialPerson organizationalRole organizationalPerson		core.schema
co	friendlyCountryName	friendlyCountry	full name of country	cosine.schema
gn	givenName	inetOrgPerson	First or given name	core.schema
homePhone	homeTelephoneNumber	inetOrgPerson		cosine.schema
-	jpegPhoto	inetOrgPerson	jpg format photo	inetorgperson.schema
l	localityName	locality organizationalPerson		core.schema
mail	rfc822Mailbox	inetOrgPerson	email address e.g. joe@smokeyjoe.com	core.schema
mobile	mobileTelephoneNumber	inetOrgPerson	mobile or cellular phone number	cosine.schema
o	organizationName	organization	Organization name or even organisational name	core.schema
ou	organisationalUnitName	organizationUnit	Usually department or any sub entity of larger entity	core.schema
-	owner	groupOfNames device groupOfUniqueNames		core.schema
pager	pagerTelephoneNumber	inetOrgPerson		cosine.schema
-	postalAddress	organizationalPerson		core.schema
postalCode	postalCode	organizationalPerson	Post Code or ZIP	core.schema
sn	surname	person	surname or family name	core.schema
st	stateOrProvinceName	organizationalPerson		core.schema
street	streetAddress	organizationalPerson		core.schema
-	telephoneNumber	organizationalPerson		core.schema
userPassword	-	organization organizationalUnit person dmd simpleSecurityObject domain posixAccount	User password for some form of access control	core.schema
uid	userid	account inetOrgPerson posixAccount	various - mostly username or other unique value	core.schema

Object Classes

Not an exhaustive list but shows the mandatory (MUST) and optional (MAY) attributes in some commonly used objectclasses. Clicking the schema link will take you to the objectClass definition. While many objectClasses show no MUST attributes you must (ouch) follow any hierarchy (shown using the [->...] notation) to determine if this is the really case. Thus, if you try to create an entry with inetOrgPerson without at least one cn and sn attribute - it will fail. More information about objectClass and Attribute hierachies.

Name	MUST	MAY	Schema
account	userid	description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host	cosine.schema
country	c	searchGuide $ description	core.schema
dcObject	dc	-	core.schema
device	cn	serialNumber $ seeAlso $ owner $ ou $ o $ l $ description	core.schema
friendlyCountry [->country]	friendlyCountyName	-	cosine.schema
groupOfNames	member $ cn	businessCategory $ seeAlso $ owner $ ou $ o $ description	core.schema
groupOfUniqueNames	uniqueMember $ cn	businessCategory $ seeAlso $ owner $ ou $ o $ description	core.schema
inetOrgPerson [->organizationalPerson]	-	audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12	inetorgperson.schema
locality	-	street $ seeAlso $ searchGuide $ st $ l $ description	core.schema
organizationalPerson [->person]	-	title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l	core.schema
organization	o	userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description	core.schema
organizationalRole	cn	x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description	core.schema
organizationalUnit	ou	userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description	core.schema
person	sn $ cn	userPassword $ telephoneNumber $ seeAlso $ description	core.schema
posixAccount	cn $ uid $ uidNumber $ gidNumber $ homeDirectory	userPassword $ loginShell $ gecos $ description	nis.schema
residentialPerson [->person]	l	businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l	core.schema

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Appendix E: LDAP - Object Classes and Attributes

Contents

Commonly Used Attributes

Object Classes