Schema-checking

When schema-checking is enabled the LDAP service carries out LDAP add and modify operations only if the operations conform to the schema. Schema checking is enabled by default and it is best to keep this default behavior if you allow write access to a directory so that you have better control over the contents of a directory.

About this task

When schema-checking is enabled the LDAP service does the following to check that LDAP add and modify operations comply with the schema:

  • Verifies that each object class specified in an LDAP add operation is defined in the schema.
  • Verifies that attributes specified in LDAP add and modify operations are associated with valid object classes for the entry.
  • Verifies that during an LDAP add operation all mandatory attribute(s) required by the object classes for the entry are provided.

If any of these checks fail, the LDAP service aborts the operation and returns the message, Object Class Violation.

Schema-checking is done only for LDAP add and modify operations and not when Notes® and Web users add and change documents in a Domino® Directory.

Note: Whether or not you enforce schema-checking, the LDAP service requires that each directory tree component specified in a distinguished name during an add or modify DN operation corresponds to an entry in the directory. For example, to add an entry with the distinguished name "uid=JDoe, o=Renovations," there must be an entry in the directory for o=Renovations.

Schema-checking and directory assistance

Procedure

The schema defined for the domain of the server running the LDAP service is the basis for schema-checking. If the LDAP service uses directory assistance to serve a secondary Domino® directory or Extended Directory Catalog for which LDAP write operations are enabled, the LDAP service uses the schema defined for its own domain to determine whether or not to allow write operations in the directory served through directory assistance.