The Active Directory (AD) schema contains the classes and attributes that define the types of objects that you can create in AD and the properties that you can configure with them. Domain controllers (DCs) store the schema as a set of objects inside the directory, whereas most Lightweight Directory Access Protocol (LDAP) servers store the schema as a collection of text files outside the directory. Storing the schema as objects in AD's Schema container has several advantages. Most notably, you can use tools and scripts to modify the schema as you would other types of objects.
A popular way to extend the AD schema is to use the LDAP Data Interchange Format (LDIF), which the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2849 defines. All major directory vendors support LDIF, so tools that use LDIF to import and export directory data are readily available. For example, the LDIF Directory Exchange utility (Ldifde—a command-line tool in Windows 2000 and later) and the Perl Net::LDAP modules use LDIF files to import and export AD data. Let's look at how you can use Net::LDAP to automate not only importing LDIF files into the schema but also verifying the schema extensions to reduce the potential for errors during the import. But first, let's take a quick look at how LDIF files work and how to install the Net::LDAP modules.
An LDIF Primer
Directory-enabled applications that store data in AD typically come with LDIF files that you can use to extend the schema. Figure 1 shows a sample LDIF file that extends the AD schema by creating a new attribute object and adding it to the User class.
The first LDIF entry in Figure 1, which callout A shows, creates an object that represents a new attribute called rallencorp-LanguagesSpoken. The first line of every LDIF entry begins with dn followed by the object's distinguished name (DN). The next line starts with changetype followed by one of three options: add (if you want to create an object), modify (if you want to modify an object), or delete (if you want to delete an object). When you select add, the rest of the lines in the entry set the object's attributes. These lines follow the format
attributeName: Value
where attributeName is the attribute's name and Value is the value that you want to assign to that attribute. For multivalued attributes, you specify the attribute multiple times. For example, the lines
description: My description 1
description: My description 2
set two values (i.e., My description 1 and My description 2) for the multivalued attribute named description. All LDIF entries end with a blank line.
The second LDIF entry in Figure 1, which callout B shows, is necessary to reload the schema cache. DCs maintain a copy of the schema on disk in the ntds.dit file and in memory in the schema cache. Whenever you add or modify the schema, the system immediately writes the changes to disk but doesn't update the schema cache for about 5 minutes. If you create an object, then reference it later, as I do in Figure 1, you must reload the schema cache or an error will occur.
Although the entry at callout B is only six lines long, it has several important characteristics worth discussing. You might have noticed that the dn line doesn't reference a DN. This omission isn't an error. A blank dn line equates to the RootDSE object, which you can use to retrieve the Schema container's DN (which I discuss how to do later). The changetype line specifies that I want to modify that object's attributes. The next line specifies the type of modify operation to perform. You can specify add (if you want to add a value to an attribute that isn't currently populated), replace (if you want to replace an attribute's current value with a new value), or delete (if you want to remove the attribute's current value). In this case, I'm adding a value to the schemaUpdateNow attribute, which is an operational attribute that dynamically reloads the schema cache. The fourth line assigns the value 1, which enables the schema cache reload. The fifth line contains a hyphen (-), which you must include in all modify entries. If you want to modify a different attribute of the same object, you simply place the information about that attribute's modify operation directly after the line containing the hyphen. In other words, you don't have to include the dn and changetype lines again. Web Figure 1 (http://www.winnetmag.com/windowsscripting, InstantDoc ID 41194) shows a sample LDIF entry that modifies two attributes of the same user object. If you don't want to modify any more attributes of an object, you simply add a blank line after the hyphen line to signify the end of the modify entry.
The last entry in Figure 1, which callout C shows, modifies the User class to include the new rallencorp-LanguagesSpoken object as part of the mayContain attribute. This entry is similar to the entry at callout B. When setting any attribute's value, you need to know its syntax. In this case, mayContain requires that you specify an lDAPDisplayName as its value.
You might have noticed that Figure 1 doesn't include an example of a delete entry. Unlike other types of objects, AD doesn't allow class and attribute object deletions.
This review of LDIF was fairly quick. If you have questions about LDIF, you can check out RFC 2849 at http://www.faqs.org/rfcs/rfc2849.html. For information about the AD schema attributes and their syntax, go to http://msdn.microsoft.com/library/en-us/adschema/adschema/active_directory_schema.asp.
Installing Net::LDAP
Before I show you how to use the Net::LDAP modules to automate importing LDIF files, let's review how to install the modules. If you've set up the Comprehensive Perl Archive Network (CPAN) shell, you can install the modules from it by running the following two commands:
perl -MCPAN -e shell
install Net::LDAP
The CPAN shell requires quite a few programs to work correctly. Consequently, if you haven't set it up before, you might find directly downloading the Net::LDAP modules easier. You can find the latest Net::LDAP version and its online documentation on the Perl-LDAP Homepage (http://perl-ldap .sourceforge.net). If you're new to installing Perl modules, I recommend that you go to the "What To Do Once You've Downloaded A Module From The CPAN" Web page (http://www.cpan.org/modules/INSTALL.html) for instructions about how to install modules for your particular platform.