LDAP directory schema

The LDAP Version 3 (V3) protocol, as defined in RFC 2252 and RFC 2256, describes schema publication and update. Schema publication enables you to query the active directory schema through the use of the LDAP search function. Schema update is the ability to change the schema while the directory server is running.

Note:
  • The z/OS® LDAP server implements both schema publication and update. The schema is stored as an entry in the database and search (publication) and modify (update) operations might be performed on this entry. The distinguished name of the schema entry is cn=schema.

    The schemaPath option in the LDAP server configuration file defines the location where the LDAP server saves the schema entry. The default is /var/ldap/schema. This directory is backed up as part of the normal system backup procedure since the loss of the schema directory invalidates all existing directory entries. If there are multiple LDAP servers running in single-server on the system, a unique schema directory must be specified in the schemaPath configuration option for each LDAP server. If there are multiple LDAP servers running in multi-server mode in the same sysplex group on the system, the schema directory specified in the schemaPath configuration option must be the same in each LDAP server's configuration file and must exist within a shared z/OS UNIX System Services file system. See Configuring the operational mode for more information.

  • When the z/OS LDAP server is first started, the server supplies an initial schema. This initial schema is sufficient for usage of the SDBM (without RACF® custom fields), CDBM (with configuration-related entries), and GDBM backends, but must be updated for usage of LDBM, TDBM, SDBM with RACF custom fields, and CDBM with user-defined entries. The initial schema elements cannot be deleted and can only be modified in limited ways. See Initial LDAP server schema for the contents of the initial schema.
  • Access to the schema entry is controlled by an access control list (ACL), even if the LDAP server is in maintenance mode. All requests to access the schema entry, except those from an LDAP root or schema administrator, are subject to ACL checking. In particular for a basic replication replica server, requests from the masterServerDN or peerServerDN are subject to access control. The default ACL allows all users to display the schema, but only an LDAP root or schema administrator can update the schema. This ACL can be modified. See Using access control for more information.