Schema checking

Edit online

When the server is initialized, the schema files are read and checked for consistency and correctness.

If the checks fail, the server fails to initialize and issues an error message. During any dynamic schema change, the resulting schema is also checked for consistency and correctness. If the checks fail, an error is returned and the change fails. Some checks are part of the grammar (for example, an attribute type can have at most one supertype, or an object class can have any number of superclasses).

The following items are checked for attribute types:

  • Two different attribute types cannot have the same name or OID.
  • The inheritance hierarchy of attribute types does not have cycles.
  • The supertype of an attribute type must also be defined, although its definition might be displayed later, or in a separate file.
  • If an attribute type is a subtype of another, they both have the same USAGE.
  • All attribute types have a syntax either directly defined or inherited.
  • Only operational attributes can be marked as NO-USER-MODIFICATION.

The following items are checked for object classes:

  • Two different object classes cannot have the same name or OID.
  • The inheritance hierarchy of object classes does not have cycles.
  • The superclasses of an object class must also be defined, although its definition might appear later or in a separate file.
  • The "MUST" and "MAY" attribute types of an object class must also be defined, although its definition might appear later or in a separate file.
  • Every structural object class is a direct or indirect subclass of top.
  • If an abstract object class has superclasses, the superclasses must also be abstract.

Checking an entry against the schema

When an entry is added or modified through an LDAP operation, the entry is checked against the schema. By default, all checks listed in this section are performed. However you can selectively disable some of the schema checking by changing the schema checking level. This is done through System i Navigator by changing the value of the Schema checking field on the Database/Suffixes page of the Directory Server properties.

To comply with the schema an entry is checked for the following conditions:

With respect to object classes:
  • Must have at least one value of attribute type "objectClass".
  • Can have any number of auxiliary object classes including zero. This is not a check, but a clarification. There are no options to disable this.
  • Can have any number of abstract object classes, but only as a result of class inheritance. This means that for every abstract object class that the entry has, it also has a structural or auxiliary object class that inherits directly or indirectly from that abstract object class.
  • Must have at least one structural object class.
  • Must have exactly one immediate or base structural object class. This means that of all the structural object classes provided with the entry, they all must be superclasses of exactly one of them. The most derived object class is called the "immediate" or "base structural" object class of the entry, or simply the "structural" object class of the entry.
  • Cannot change its immediate structural object class (on ldap_modify).
  • For each object class provided with the entry, the set of all of its direct and indirect superclasses is calculated; if any of those superclasses is not provided with the entry, then it is automatically added.
  • If the schema checking level is set to Version 3 (strict) all structural superclasses must be provided. For example, to create an entry with objectclass inetorgperson, the following objectclasses must be specified: person, organizationalperson, and inetorgperson.
The validity of the attribute types for an entry is determined as follows:
  • The set of MUST attribute types for the entry is calculated as the union of the sets of MUST attribute types of all of its object classes, including the implied inherited object classes. If the set of MUST attribute types for the entry is not a subset of the set of attribute types contained by the entry, the entry is rejected.
  • The set of MAY attribute types for the entry is calculated as the union of the sets of MAY attribute types of all of its object classes, including the implied inherited object classes. If the set of attribute types contained by the entry is not a subset of the union of the sets of MUST and MAY attribute types for the entry, the entry is rejected.
  • If any of the attribute types defined for the entry are marked as NO-USER-MODIFICATION, the entry is rejected.
The validity of the attribute type values for an entry is determined as follows:
  • For every attribute type contained by the entry, if the attribute type is single-valued and the entry has more than one value, the entry is rejected.
  • For every attribute value of every attribute type contained by the entry, if its syntax does not comply with the syntax checking routine for the syntax of that attribute, the entry is rejected.
  • For every attribute value of every attribute type contained by the entry, if its length is greater than the maximum length assigned to that attribute type, the entry is rejected.
The validity of the DN is checked as follows:
  • The syntax is checked for compliance with the BNF for DistinguishedNames. If it does not comply, the entry is rejected.
  • It is verified that the RDN is made up with only attribute types that are valid for that entry.
  • It is verified that the values of attribute types used in the RDN appear in the entry.