Monday May 14, 2007
Monday May 14, 2007 The OpenDS Virtual Attribute Subsystem
One of the key OpenDS components that makes virtual static groups possible is the virtual attribute subsystem. Virtual attributes are those attributes whose values are computed on the fly rather than actually being stored in the database. There are a number of uses for virtual attributes in the server, and there is an API (org.opends.server.api.VirtualAttributeProvider) that can be used to create new types of virtual attributes.
Some of the virtual attribute providers we have defined in OpenDS include:
- The entryDN provider -- This is used to compute the entryDN operational attribute, which simply contains the DN of the entry. (as defined in draft-zeilenga-ldap-entrydn).
- The subschemaSubentry provider -- This is used to compute the subschemaSubentry operational attribute, which is used to specify the location of the schema governing the associated entry (as defined in RFC 4512).
- The isMemberOf provider -- This is used to compute the isMemberOf attribute, which lists the DNs of the groups in which the associated user is a member.
- The member provider -- This is used to compute the member or uniqueMember attribute for virtual static groups.
- The user-defined provider -- This is used to allow users to define their own virtual attributes that will appear in entries based on a given set of criteria. More information about user-defined virtual attributes is provided below.
Virtual Attribute Configuration
Virtual attributes are configured below "cn=Virtual Attributes,cn=config". These entries need to have the ds-cfg-virtual-attribute object class, which requires the following attributes:- ds-cfg-virtual-attribute-class -- This specifies the class providing the virtual attribute logic.
- ds-cfg-virtual-attribute-enabled -- This indicates whether the virtual attribute should be enabled so that it can generate values for the target entries.
- ds-cfg-virtual-attribute-type -- This specifies the name of the attribute type for which the values will be generated
- ds-cfg-virtual-attribute-conflict-behavior -- This specifies how the server should behave if an entry already has one or more real values for an attribute that could be virtually generated. Allowed values are "real-overrides-virtual" (to indicate that only the real values should be used), "virtual-overrides-real" (to indicate that the real values should be ignored and only the virtual values should be used), and "merge-real-and-virtual" (in which both the real and virtual values will be used).
With only the above configuration attributes, the virtual attribute may be generated for all entries. If you wish to pare down the set of entries in which the virtual attribute may be present, you can use one or more of the additional configuration attributes (all of which are multivalued):
- ds-cfg-virtual-attribute-base-dn -- This specifies the base DN(s) for the branches below which the virtual attribute may be used. If this is present, then only entries below one of the specified base DNs may include the virtual attribute.
- ds-cfg-virtual-attribute-filter -- This specifies a search filter that may be used to control the entries in which the virtual attribute may be used. If this is present, then only entries matching at least one of the specified filters may include the virtual attribute.
- ds-cfg-virtual-attribute-group-dn -- This specifies the DN(s) for the groups whose members will be allowed to have this virtual attribute. If this is present, then only user entries belonging to one of the specified groups may include the virtual attribute.
User-Defined Virtual Attributes
User-defined virtual attributes can be used to supply specific administrator-supplied values to entries matching the virtual attribute criteria. The net effect is essentially the same as what you can get using the Class of Service (CoS) capabilities of the Sun Java System Directory Server, but I think that the implementation and configuration is much more straightforward (although I may be a bit biased since I wrote the code).In order to create a user-defined virtual attribute, add a new entry to the server configuration. It should contain the ds-cfg-user-defined-virtual-attribute object class (which extends the ds-cfg-virtual-attribute class and therefore takes all of the configuration attributes that it uses as described above), and it should also have at least one value for the ds-cfg-virtual-attribute-value attribute to specify the value that entries matching the criteria should be given. The ds-cfg-virtual-attribute-class should be set to "
org.opends.server.extensions.UserDefinedVirtualAttributeProvider".
For example, the following configuration entry assigns a default postalCode value for everyone in the Austin office (although if they already have a postalCode value in their entry, it will be used instead of the virtual value):
dn: cn=Austin postalCode,cn=Virtual Attributes,cn=config objectClass: top objectClass: ds-cfg-virtual-attribute objectClass: ds-cfg-user-defined-virtual-attribute cn: Austin postalCode ds-cfg-virtual-attribute-class: org.opends.server.extensions.UserDefinedVirtualAttributeProvider ds-cfg-virtual-attribute-enabled: true ds-cfg-virtual-attribute-type: postalCode ds-cfg-virtual-attribute-value: 78727 ds-cfg-virtual-attribute-conflict-behavior: real-overrides-virtual ds-cfg-virtual-attribute-base-dn: ou=People,dc=example,dc=com ds-cfg-virtual-attribute-filter: (&(l=Austin)(st=Texas))
Note that because of the way that virtual attributes are implemented in OpenDS, you can use them to supply values for pretty much any kind of attribute, including operational attributes. For example, you could use it to set the ds-pwp-password-policy-dn operational attribute to give users a custom password policy, ds-rlim-size-limit to define a custom size limit, or ds-privilege-name to assign one or more privileges. For example, the following virtual attribute configuration entry gives a special set of privileges to everyone on the "Administrators" group:
Posted by cn_equals_directory_manager ( May 14 2007, 01:31:47 PM CDT ) Permalinkdn: cn=Administrator Privileges,cn=Virtual Attributes,cn=config objectClass: top objectClass: ds-cfg-virtual-attribute objectClass: ds-cfg-user-defined-virtual-attribute cn: Administrator Privileges ds-cfg-virtual-attribute-class: org.opends.server.extensions.UserDefinedVirtualAttributeProvider ds-cfg-virtual-attribute-enabled: true ds-cfg-virtual-attribute-type: ds-privilege-name ds-cfg-virtual-attribute-value: modify-acl ds-cfg-virtual-attribute-value: config-read ds-cfg-virtual-attribute-value: config-write ds-cfg-virtual-attribute-value: ldif-import ds-cfg-virtual-attribute-value: ldif-export ds-cfg-virtual-attribute-value: backend-backup ds-cfg-virtual-attribute-value: backend-restore ds-cfg-virtual-attribute-value: password-reset ds-cfg-virtual-attribute-value: update-schema ds-cfg-virtual-attribute-conflict-behavior: merge-real-and-virtual ds-cfg-virtual-attribute-group-dn: cn=Administrators,ou=Groups,dc=example,dc=com
Comments:
Post a Comment:
Comments are closed for this entry.
| Archives | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Language | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Links | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Referrers | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Today's Page Hits: 7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||