The object class configuration enables you to configure the security platform to recognize nondefault or custom object classes and attributes that may exist in your corporate LDAP or Active Directory schema.
Object classes define which attributes are allowed for each entry in a directory store.
For example, person
is a standard user object class in LDAP schemas. The person
object class has a set of required attributes (such as cn
for common name), and may also have optional attributes (for example, telephoneNumber
).
Object classes often have subclasses. The subclasses can be assigned to an entry to give it a more detailed range of required and allowed attributes. For example, in iPlanet, the object class person
is too general to allow use of the attribute postOfficeBox
, but its subordinate object class organizationalPerson
does allow that attribute. So if an LDAP administrator wanted to list a postOfficeBox
for Susan Smith, that user entry should be assigned to the object class organizationalPerson
(as well as its ancestral object classes, person
and top
).
The default user object classes for LDAP are assumed by the security platform to be person
, organizationalPerson
, and inetOrgPerson
, because these are commonly found in LDAP directories.
The default user object classes for Active Directory are assumed by the security platform to be person
, organizationalPerson
, and user
, because these are commonly found in Active Directory.
If your corporate directory schema uses specialized user object classes, modify or add <entry></entry>
elements and their values as necessary.
For more information, consult the schema reference and deployment documentation for your directory.
The default group object classes for LDAP are assumed to be groupofuniquenames?uniquemember
and groupOfNames?member
.
The default group object class for Active Directory is assumed to be group?member
.
If your corporate directory schema uses specialized group object classes, modify or add <entry></entry>
elements and their values as necessary.
For additional entries that you make, the <entry></entry>
tag values must be of the format
ObjectClassName?AttributeName
For example:
<entry>group?member</entry>
where group is the name of the object class and member is the attribute that holds the distinguished Name of the member of this group.
For more information about object classes and the rules for your directory schema, consult the schema reference and the deployment documentation for your directory.
©2004 Hyperion Solutions Corporation. All Rights Reserved. http://www.hyperion.com |