An LDAP server should maintain a schema directory. Below are base DNs to search based on the server vendor.
Microsoft Active Directory (AD):
CN=Schema,CN=Configuration,DC=example,DC=com
OpenDS, Oracle
Directory Server Enterprise Edition (ODSEE),
Oracle Unified Directory (OUD):
cn=schema
OpenLDAP:
cn=subschema
Oracle Internet Directory (OID):
cn=subschemasubentry
For ODSEE, the command below will retrieve
all attributes in cn=schema.
ldapsearch \
-b 'cn=schema' \
-s base \
'*' +Depending on the server, the results may look something like those given below.
dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( 2.16.840.1.113730.3.1.364 NAME 'nsMCSmtpUseSSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Mission Control Desktop - Mail' ) ... objectClasses: ( 2.5.6.0 NAME 'top' DESC 'Standard LDAP objectclass' ABSTRACT MUST objectClass X-ORIGIN 'RFC 2256' ) ... matchingRules: ( 2.5.13.5 NAME 'caseExactMatch' DESC 'Case Exact Matching on Directory String [defined in X.520]' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ...
AD also represents each schema entity as a
child entry. The command below will retrieve class schema information
for cn: account.
ldapsearch \
-b 'CN=Schema,CN=Configuration,DC=example,DC=com' \
-s one \
'( &
(objectClass=classSchema)
(cn=account)
)' \
'*' +Depending on the server, the results may look something like those given below.
dn: CN=account,CN=Schema,CN=Configuration,DC=example,DC=com objectClass: top objectClass: classSchema cn: account distinguishedName: CN=account,CN=Schema,CN=Configuration,DC=example,DC=com instanceType: 4 whenCreated: 20040127190036.0Z whenChanged: 20160113010716.0Z possSuperiors: container possSuperiors: organizationalUnit uSNCreated: 6054 subClassOf: top governsID: 0.9.2342.19200300.100.4.5 mayContain: description mayContain: seeAlso mayContain: l mayContain: o mayContain: ou mayContain: host mayContain: uid rDNAttID: cn uSNChanged: 6054 showInAdvancedViewOnly: TRUE adminDisplayName: account adminDescription: The account object class is used to define entries representing computer accounts. objectClassCategory: 1 lDAPDisplayName: account name: account objectGUID:: yYGc4C87qEqNw5yBm8z4KA== schemaIDGUID:: aqQoJq2m4Eq4VCsS2f5vng== systemOnly: FALSE defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) defaultHidingValue: TRUE objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=example,DC=com defaultObjectCategory: CN=account,CN=Schema,CN=Configuration,DC=example,DC=com dSCorePropagationData: 20170526181849.0Z dSCorePropagationData: 16010101000001.0Z