ldap 中 ObjectClass 詳解(轉)
初學LDAP時關於objectClass和Attribute之間的關係總是困擾着我,找過許多的中文資料都沒有得到答案。最近終於徹底弄明白了這個問題,決定記錄下來,以讓後學者少走彎路。非常奇妙的是他們之間的關係與Java裏面的一些概念很相似,接下來我會結合Java 來講講LDAP中的objectClass與Attribute。
LDAP中每一個Entry必須屬於某一個objectClass,用Java的方式來理解這個Entry對應着一個Instance,而 objectClass自然就是class了。
在Java中Class大致可以分爲Abstract,concrete兩種,只有concrete Class才能生成instance。而在LDAP中objectClass分爲三種:Abstract,Structural,AUXIALIARY。具體定義如下:
* Abstract object classes are only intended to be extended by other object classes. An entry must not contain any abstract class unless it also contains a structural or auxiliary class that dervies from that abstract class (i.e., includes a non-abstract object
class which has the abstract class in its inheritance chain). All entries must contain at least the “top” abstract object class, in the inheritance chain for their structural class. They may or may not contain other abstract classes in the inheritance chains
for their structural class or any of their auxiliary classes.
* Structural object classes are intended to define the crux of what an entry represents. Every entry must include exactly one structural object class chain, and the root of that chain must ultimately be the “top” abstract object class. The structural object class for an entry is not allowed to be changed.
* Auxiliary object classes are intended to define additional qualities of entries. An entry may contain zero or more auxiliary classes, and the set of auxiliary classes associated with an entry may change over time.
簡單描述就是:Abstract只用來被其它object class繼承,只有當其被Structural object class繼承時纔出現。要定義一個Entry必須有且只有一個Structural類型的ObjectClass。 Top是一個頂級Abstract ObjectClass,裏面定義了一個MUST Attribute:ObjectClass,這就決定了必須有一個其它的Structural ObjectClass才能定義一個Entry.其中ObjectClass又可以存在繼承關係,該繼承關係於Java中有點相似,子ObjectClass會繼承父ObjectClass中的全部Attributes.
接下來看一看ObjectClass與Attribute的關係。
如同Java裏面的一個類可以包括多個Field,在業務上可能會定義某些Field是必須的,另外一些是可選的。在LDAP中也存在類似關係,每一個 ObjectClass都定義了一些Attribute,其Attribute仍然可以是ObjectClass。在這些Attriubte中分爲兩種類型MUST,MAY, MUST表示這個Entry必須包括的屬性,MAY爲可選。一個ObjectClass的Attribute也包括所有繼承自父ObjectClass和自身定義的ObjectClass。
下面用一個類型進行說明:
objectclass ( 2.5.6.0 NAME ‘top’ ABSTRACT
MUST objectClass )
objectclass ( 1.3.6.1.4.1.1466.344 NAME ‘dcObject’
DESC ‘RFC2247: domain component object’
SUP top AUXILIARY
MUST dc )
上面是兩個objectclass的定義,其中top爲ABSTRACT,dcObject爲AUXILIARY,這兩個類型都不能定義Entry.下面這個LDIF文件在導入到LDAP時會出錯:
dn: dc=java,dc=com
objectClass:dcObject
dc: java.com
要定義這個Entry必須找到一個STRUCTURAL類型的ObjectClass。
objectClasses: ( 2.5.6.4 NAME ‘organization’
DESC ‘RFC2256: an organization’ SUP top STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory
$ x121Address $ registeredAddress $ destinationIndicator
$ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier
$ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber
$ street $ postOfficeBox $ postalCode $ postalAddress
$ physicalDeliveryOfficeName $ st $ l $ description ) )
這個objectClass的類型爲STRUCTURAL,因此可以用來定義Entry.具體定義如下
dn: dc=java,dc=com
objectClass:dcObject
objectClass:organization
dc: java.com
o: java.com
其中dc:java.com爲dcObject的MUST Attribute,o: java.com爲organization的MUST Attribute。