Enterprise Directory Schema

Release 1.19
Date 2018-02-12

About this Document

This document is the schema for the first phase of the Enterprise Directory system. It contains most of the demographic data about a person that will be in the final phase of the Enterprise Directory, with the exception of those attributes which a person will have direct control over as this directory does not allow for writes. It also contains group and service entry representation.

ED-Auth, ED-Lite, and ED-ID attributes are marked in the objectClass outline sections.

Layout

This document will begin with an outline of the schema used in the ED-LDAP directory which will give the object class and attributes in the class as well as the DIT for the directory. An in-depth description of each attribute will follow the outline.

Indexing

As with databases, LDAP directories provide a mechanism for creating indexes. Searching on indexed attributes provide far faster results than searching on non-indexed fields. The two most common types of indexing for LDAP directories are equality and substring. Those attributes marked as being equality indexed allow exact match searches to be performed against them. Attributes indexed in a substring manner allow wildcard searches to be performed against them. If an attribute is marked as having both equality and substring indexes, the equality search will perform better and should be used if possible. The equality index is used when no wildcard character appears in the string being searched for.

Schema Outline

ObjectClass Outline

objectclass virginiaTechPerson

See detailed schema reference for complete attribute definitions.

superior: top      
required:        
    ED-ID ED-Auth ED-Lite
  cn  
  creationDate    
  eduPersonAffiliation  
  eduPersonPrimaryAffiliation  
  gender    
  personType    
  sn  
  uid
  virginiaTechAffiliation  
optional:        
  accountCreationDate    
  accountExpirationDate    
  accountRecoveryMaintenanceDate    
  accountShelveDate    
  accountState  
  address    
  authId  
  bannerName    
  bannerPIDM    
  c  
  campus    
  classLevel    
  classLevelCode    
  confidentialFlag    
  dateOfBirth    
  degreeType    
  department  
  departmentNumber  
  displayName  
  eduPersonPrincipalName    
  employeeOffCampus    
  expirationDate    
  facsimileTelephoneNumber    
  givenName  
  groupAddDate    
  groupExpireDate    
  groupMembership  
  groupMembershipUugid  
  guestId  
  homeFAX    
  homeMobile    
  homePager    
  homePhone    
  homePostalAddress    
  initials    
  instantMessagingID  
  jpegPhoto    
  l  
  labeledURI  
  lastEnrollmentTerm    
  lastEnrollmentTermCode    
  localFAX    
  localMobile    
  localPager    
  localPhone  
  localPostalAddress  
  mail    
  mailAccount    
  mailAlias    
  mailAuxiliaryAccount    
  mailExternalAddress    
  mailForwardingAddress    
  mailPreferredAddress  
  mailStop  
  major  
  majorCode    
  middleName  
  mobile    
  networkPassword    
  nextEnrollmentTerm    
  nextEnrollmentTermCode    
  pager    
  passwordChangeDate  
  passwordExpirationDate  
  passwordState  
  personData  
  postalAddress  
  postalCode  
  postOfficeBox  
  preferredLanguage    
  publicKey  
  responsiblePerson    
  st  
  street  
  studentLevelCode    
  suppressEmployeeDisplay    
  suppressDisplay    
  suppressedAttribute    
  telephoneNumber  
  title  
  udcIdentifier    
  undergraduateLevel    
  userCertificate  
  userPassword  
  userSMIMECertificate  
  uupid
  virginiaTechID    

objectclass virginiaTechGroup

superior: top      
required:        
    ED-ID ED-Auth ED-Lite
  contactPerson    
  creationDate    
  uid
  uugid
optional:        
  administrator    
  displayName  
  emailAddress  
  expirationDate    
  groupData  
  groupMembership
  labeledURI  
  manager    
  member
  suppressDisplay  
  suppressMembers  
  viewer    

objectclass virginiaTechService

superior: top      
required:        
    ED-ID ED-Auth ED-Lite
  accountState    
  administrator    
  certificate    
  contactPerson    
  creationDate    
  serviceDN    
  serviceType    
  uid    
  uusid    
optional:        
  endpointBinding    
  endpointProtocol    
  endpointURI    
  expirationDate    
  viewablePersonAttribute    

objectclass virginiaTechEntitlement

superior: top      
required:        
    ED-ID ED-Auth ED-Lite
  creationDate    
  entitlement    
  manager    
  uid    
optional:        
  entitled    
  expirationDate    
  sponsor    
  viewer    

objectclass virginiaTechOrganization

superior: top      
required:        
    ED-ID ED-Auth ED-Lite
  orgCode    
  orgTitle    
  orgLevel    
  orgLevelCode    
  uid    
  orgStatus    
optional:        
  creationDate    
  orgEmployee    
  orgLevelCode 1    
  orgLevelCode 2    
  orgLevelCode 3    
  orgLevelCode 4    
  orgLevelCode 5    
  orgLevelCode 6    

Object Classes

Objectclass virginiaTechPerson

See detailed schema reference.

Objectclass virginiaTechGroup

administrator
Required: No
Cardinality: multi
Indexing: equality, presence
Definition: These are the DNs of the people who may administer this group.
Notes:  
Example: administrator: uid=987654,ou=People,dc=vt,dc=edu
contactPerson
Required: Yes
Cardinality: multi
Indexing: equality, presence
Definition: This is the DN of the person who should receive any correspondence for the group.
Notes: This is the person that will be contacted for administrative purposes (such a group renewal announcements). If a group email address isn’t specified this person will also get the daily correspondence for this group.
Example: contactPerson: uid=1234567,ou=People,dc=vt,dc=edu
creationDate
Required: Yes
Cardinality: single
Indexing: none
Definition: This is the date the group was added to the directory.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mm:ssTZD TZD = Time Zone Designator. For the Eastern Time zone this is –0500
Example: creationDate: 2001-11-09T15:25:15-0500
displayName
Required: No
Cardinality: single
Indexing: none
Definition: This represents the human readable name of a group and will be displayed in place of, or along side of, the group’s uugid.
Notes: This name is not guaranteed to be unique.
Example: displayName: Karate Club
emailAddress
Required: No
Cardinality: single
Indexing: none
Definition: This is the email address that everyday correspondence to the group should be sent to.
Notes: If no email address is specified email correspondence will be sent to the contact person’s email address.
Example: emailAddress: karate_club@vt.edu
expirationDate
Required: No
Cardinality: single
Indexing: none
Definition: This is the date the group is set to expire from the directory.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mm:ssTZD TZD = Time Zone Designator. For the Eastern Time zone this is –0500
Example: expirationDate: 2001-11-09T15:25:15-0500
groupData
Required: No
Cardinality: multi
Indexing: none
Definition: This field allows a group to store additional information about the group, which may be displayed along with other group information.
Notes: Some information that may be included here is a telephone number, an address, other websites, etc. Valid XHTML may be included to added emphasis to certain items.
Example: groupData: Meets on Thursdays from 5-7
groupMembership
Required: No
Cardinality: multi
Indexing: equality, presence
Definition: A list of the group DNs this group is a member of.
Notes:  
Example: groupMembership: uugid=bioclub,ou=Groups,dc=vt,dc=edu
labeledURI
Required: No
Cardinality: multi
Indexing: none
Definition: Webpage(s) associated with the group.
Notes: The format for this attribute is “label:url”, where the label describes the link and the url is the URL of the link.
Example: labeledURI: homepage:http://filebox.vt.edu/karate_club
manager
Required: No
Cardinality: multi
Indexing: none
Definition: A list of the DNs who are managers of this group.
Notes:  
Example: manager: uid=1234567,ou=people,dc=vt,dc=edu
member
Required: No
Cardinality: multi
Indexing: equality, presence
Definition: A list of the DNs who are members of this group. May include person and/or group DNs.
Notes:  
Example: member: uid=1234567,ou=people,dc=vt,dc=edu
suppressDisplay
Required: No
Cardinality: single
Indexing: none
Definition: Whether this group’s entire record should be suppressed from public view.
Notes:  
Example: suppressDisplay: true
suppressMembers
Required: No
Cardinality: single
Indexing: none
Definition: Whether this group’s membership should be suppressed from public view.
Notes:  
Example: suppressMembers: true
uid
Required: Yes
Cardinality: single
Indexing: equality
Definition: The unique indentifier for this group. Corresponds to the sequence number in the Registry.
Notes:  
Example: uid: 1
uugid
Required: Yes
Cardinality: single
Indexing: equality, substring, presence
Definition: This Universally Unique Group Identifier is the unique identifier of a group within the directory.
Notes:  
Example:  
viewer
Required: No
Cardinality: multi
Indexing: none
Definition: The DNs that may view this group and its membership.
Notes:  
Example: user: uusid=exampleService,ou=Services,dc=vt,dc=edu

Objectclass virginiaTechService

accountState
Required: Yes
Cardinality: single
Indexing: none
Definition: The current state of this service account.
Notes: May be one of two values: active or inactive.
Example: accountState: active
administrator
Required: Yes
Cardinality: multi
Indexing: equality, presence
Definition: A list of people DNs that may administer a service.
Notes: Administrators may add or remove authorized users from a service.
Example: administrator: uid=1254884,ou=People,dc=vt,dc=edu
contactPerson
Required: Yes
Cardinality: single
Indexing: equality, presence
Definition: This is the DN of the person who is ultimately responsible for this service.
Notes:  
Example: contactPerson: uid=987654,ou=People,dc=vt,dc=edu
creationDate
Required: Yes
Cardinality: single
Indexing: none
Definition: This is the date the service was added to the directory.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mmTZD TZD = Time Zone Designator. For the Eastern Time zone this is –0500
Example: creationDate: 2001-11-09T15:25:15-0500
certificate
Required: Yes
Cardinality: multi
Indexing: none
Definition: The public certificate of the service
Notes:  
Example:  
endpointBinding
Required: No
Cardinality: multi
Indexing: none
Definition: The endpoint binding.
Notes:  
Example: endpointBinding: POST
endpointProtocol
Required: No
Cardinality: multi
Indexing: none
Definition: The endpoint protocol.
Notes:  
Example: endpointProtocol: SAML
endpointURI
Required: No
Cardinality: multi
Indexing: none
Definition: The endpoint URI.
Notes:  
Example: endpointURI: https://foo.com/bar
expirationDate
Required: No
Cardinality: single
Indexing: none
Definition: This is the date the service is set to expire from the directory.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mm:ssTZD TZD = Time Zone Designator. For the Eastern Time zone this is –0500
Example: expirationDate: 2001-11-09T15:25:15-0500
serviceDN
Required: Yes
Cardinality: multi
Indexing: equality
Definition: The DN of the service certificate
Notes: The serviceDN must map to the certificate that did TLS client authentication to ED-LDAP for the service to have any privileges other than anonymous access.
Example: cn=ED-ID Service,ou=1,ou=Middleware-Client,o=Virginia Polytechnic Institute and State University,l=Blacksburg,st=Virginia,c=US,dc=vt,dc=edu
serviceType
Required: Yes
Cardinality: single
Indexing: none
Definition: This is the service type of the service.
Notes: Personal services may view any non-suppressed person attribute as well as any suppressed attribute in it’s view access control list (vACL) for the authenticated user originating the request, and may only display that information to that authenticated user. In other words a personal service will show you any of your suppressed attributes in its vACL, but only to you. Private services may view any non-suppressed person attribute as well as any suppressed attribute in its vACL for any person, however it may not make this information publicly viewable.
Example: serviceType: personal
uid
Required: Yes
Cardinality: single
Indexing: equality
Definition: The unique indentifier for this service. Corresponds to the sequence number in the Registry.
Notes:  
Example: uid: 1
uusid
Required: Yes
Cardinality: single
Indexing: equality, substring, presence
Definition: This Universally Unique Service Id is the unique identifier of a service within the directory.
Notes:  
Example: uusid: filebox
viewablePersonAttribute
Required: No
Cardinality: multi
Indexing: equality, presence
Definition: This is a list of virginiaTechPerson attributes that this service may view.
Notes: This list in used in conjunction with the service type to determine what usersuppressed fields a service can view.
Example: viewablePersonAttribute: mail

Objectclass virginiaTechEntitlement

creationDate
Required: Yes
Cardinality: single
Indexing: none
Definition: This is the date the entitlement was added to the directory.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mmTZD TZD = Time Zone Designator. For the Eastern Time zone this is –0500
Example: creationDate: 2001-11-09T15:25:15-0500
entitled
Required: No
Cardinality: multi
Indexing: none
Definition: A DN that represents the entry with this virginiaTechEntitlement.
Notes: Only people can currently have entitlements. In the future, this may be expanded to include services and groups.
Example: entitled: uid=1152120,ou=People,dc=vt,dc=edu
entitlement
Required: Yes
Cardinality: single
Indexing: none
Definition: A string that identifies the virginiaTechEntitlement
Notes: May coexist with eduPersonEntitlement in the future.
Example: entitlement: middleware:dat:person:create
expirationDate
Required: No
Cardinality: single
Indexing: none
Definition: The date this virginiaTechEntitlement will expire.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mm:ssTZD TZD = Time Zone Designator. For the Eastern Time zone this is -0500
Example: expirationDate: 2001-11-09T15:25:15-0500
manager
Required: Yes
Cardinality: multi
Indexing: none
Definition: The DN of the service that manages this virginaTechEntitlement.
Notes: Though this will initially only contain service DNs, it may contain people or group DNs in the future. This attribute is defined as multi-valued in RFC1274 (used by inetOrgPerson), but it should always contain one value. This will be enforced through replication.
Example: manager: uusid=service-manager,ou=Services,dc=vt,dc=edu
Required: No
Cardinality: single
Indexing: none
Definition: The DN that is sponsoring this virginiaTechEntitlement.
Notes: Initially this will be a person DN, but in the future it may contain service or group DNs.
Example: sponsor: uid=1152120,ou=People,dc=vt,dc=edu
uid
Required: Yes
Cardinality: single
Indexing: equality
Definition: The unique identifier for this virginiaTechEntitlement. Corresponds to VTENTITLEMENTS.VTENTITLEMENT_SEQNO in the Registry.
Notes: Not to be confused with a person, group, or service uid.
Example: uid: 1
viewer
Required: No
Cardinality: multi
Indexing: none
Definition: The DNs that may view this virginiaTechEntitlement.
Notes: Similar to a group’s viewer.
Example: viewer: uusid=viewer-service,ou=Services,dc=vt,dc=edu

Objectclass virginiaTechOrganization

orgCode
Required Yes
Cardinality: single
Indexing: equality
Definition: The organization code.
Example: orgCode: 066103
orgTitle
Required Yes
Cardinality: single
Indexing: equality, substring
Definition: The human readable organization title.
Example: orgTitle: Middleware & Identity Apps
orgLevel
Required Yes
Cardinality: single
Indexing: none
Definition: The numeric level of this organization.
Example: orgLevel: 6
orgLevelCode
Required Yes
Cardinality: multi
Indexing: equality
Definition: An organization level code.
Example: orgLevelCode: 066103
orgStatus
Required Yes
Cardinality: single
Indexing: equality
Definition: The organization status.
Example: orgStatus: A
orgEmployee
Required Yes
Cardinality: single
Indexing: equality
Definition: The DNs of the employees in this organization.
Example: orgEmployee: uid=1152120,ou=People,dc=vt,dc=edu
orgLevelCode[1-6]
Required Yes
Cardinality: multi
Indexing: equality
Definition: The organization level code with the level number.
Example: orgLevelCode6: 066103
uid
Required: Yes
Cardinality: single
Indexing: equality
Definition: The unique indentifier.
Notes:  
Example: uid: 1
creationDate
Required: No
Cardinality: single
Indexing: none
Definition: This is the date the organization was added to the directory.
Notes: Time is 24 hour based. Format is yyyy-mm-ddThh:mm:ssTZD TZD = Time Zone Designator. For the Eastern Time zone this is –0500
Example: creationDate: 2001-11-09T15:25:15-0500

Change Log

1.0 -> 1.1

1.1 -> 1.2

1.2 -> 1.3

1.3 -> 1.4

1.4 -> 1.5

1.5 -> 1.6

1.6 -> 1.7

1.7 -> 1.8

1.8 -> 1.9

1.9 -> 1.10

1.10 -> 1.11

1.12 -> 1.13

1.13 -> 1.14

1.14 -> 1.15

1.15 -> 1.16

1.16 -> 1.17

1.17 -> 1.18

1.18 -> 1.19

1.19 -> 1.20