Schema element definitions may include zero or more extensions, which are textual elements that may provide additional information about that element, and in some cases may describe additional functionality or constraints associated with that element.
If a schema element definition includes one or more extensions, then each extension must have the following format:
- One or more spaces to separate the extension from other components in the schema element definition.
- The name of the extension. The name must start with “X-”, and the remainder of the name may contain only ASCII letters (uppercase and/or lowercase), hyphens, and/or underscores.
- One or more spaces to separate the extension name from its value(s).
The value(s) for the extension. This may take either of the following forms:
- A single quote, followed by the text for the value, and another single quote. This format is only allowed for extensions with a single value.
- An open parenthesis, zero or more spaces, the first extension value surrounded by single quotes, an optional set of additional extension values where each is preceded by at least one space and includes the value surrounded by single quotes, zero or more spaces, and a close parenthesis. This format is allowed for extensions that have one or more values.
Each extension value must contain one or more UTF-8 characters, with any single quote characters escaped as “\27” and any backslash characters escaped as “\5c”. Extension values cannot be empty strings, and all extensions must have at least one value.
LDAP does not define any standard schema extensions, but many directory servers accept any properly-formatted extension as a means of annotating the schema element. For example, one of the most commonly-used extension types is “X-ORIGIN”, which is typically used to indicate the source of the associated schema element, and the string “X-ORIGIN ‘RFC 4519’” might be used to indicate that the associated schema element is defined in RFC 4519.
Some directory servers may use certain extensions to describe additional constraints for the schema element that the normal LDAP syntax doesn’t support. For example, the Ping Identity Directory Server defines a number of different extension types that allow you to enforce constraints on the types of values that may be included in those attributes. Some of those extensions include:
- X-ALLOWED-VALUE: Specifies the set of values that attributes of that type will be allowed to have.
- X-APPROX: Specifies the name or OID of the approximate matching rule that should be used in conjunction with the specified attribute type.
- X-MAX-INT-VALUE: Specifies the maximum integer value that attributes of that type will be allowed to have.
- X-MAX-VALUE-COUNT: Specifies the maximum number of values that attributes of that type will be allowed to have.
- X-MAX-VALUE-LENGTH: Specifies the maximum number of UTF-8 characters that values of attributes of that type will be allowed to have.
- X-MIN-INT-VALUE: Specifies the minimum integer value that attributes of that type will be allowed to have.
- X-MIN-VALUE-COUNT: Specifies the minimum number of values that attributes of that type will be allowed to have.
- X-MIN-VALUE-LENGTH: Specifies the minimum number of UTF-8 characters that values of attributes of that type will be allowed to have.