How to Extend the Number of Attributes Associated with Entries

You can extend the number of attributes for entries. The method you use depends on whether the entries already exist.

For an existing entry, there are two ways to extend the attributes associated with it. One way is to add names of object classes to the list in the objectclass attribute for each entry. If your directory is relatively small, then this can be a desirable method because it enables searches for entries based on that attribute. However, if your directory is large, then entering the names of object classes to the objectclass attribute can be very painstaking. In this case, the second way, namely, using content rules, may be a more efficient way to extend the content of entries.

This section contains these topics:

• Extending the Number of Attributes Prior to Creating Entries in the Directory

• Extending the Number of Attributes for Existing Entries by Creating an Auxiliary Object Class

• Extending the Number of Attributes for Existing Entries by Creating a Content Rule

Extending the Number of Attributes Prior to Creating Entries in the Directory

At installation, Oracle Internet Directory provides standard LDAP object classes and several proprietary object classes. You cannot add mandatory attributes to the sets of attributes belonging to these predefined object classes. If a given object class does not contain all the attributes that you want for an entry, then you can do one of the following:

• Define a new (base) object class

• Define an object subclass

  See Also: Appendix B, "Oracle Internet Directory Schema Elements" for a list of object classes in the schema installed with Oracle Internet Directory About Object Class Management for instructions on how to define a new object class or object subclass

Extending the Number of Attributes for Existing Entries by Creating an Auxiliary Object Class

You can create an auxiliary object class containing the additional attributes you want for your entry, and then associate that auxiliary object class with the entry. You associate the auxiliary object class with the entry by specifying it in the objectclass attribute for the entry.

See Also: "About Object Class Management" for instructions on creating auxiliary object classes Chapter 7, "Directory Entries Administration" for instructions on associating an object class with an entry

Extending the Number of Attributes for Existing Entries by Creating a Content Rule

A content rule, following your specifications, determines the kind of content allowed in any entry that is associated with a particular structural object class. For example, you can specify that any entry associated with the person object class must have, in addition to the attributes in that object class, other attributes as well. The additional attributes can be those of an auxiliary object class, and they can be either mandatory or optional. You can also specify that such entries must not contain values for one or more particular attributes.

Whereas you must list auxiliary classes in the entry--which can be an administrative burden--you do not need to list content rules in the entry.

In addition to the structural object class to which it applies, a content rule can also indicate:

• Auxiliary object classes allowed for entries governed by the rule

• Mandatory attributes, in addition to those called for by the structural and auxiliary object classes, required for entries governed by the DIT content rule

• Optional attributes, in addition to those called for by the structural and auxiliary object classes, permitted for entries governed by the DIT content rule;

• Optional attributes from the entry's structural and auxiliary object classes that are precluded from appearing in entries governed by the rule

Rules for Creating and Modifying Content Rules

Content rules are defined as values of the DITContentRule attribute in the subschema subentry (cn=subschemasubentry). They must conform to these rules:

• The structural object class of the entry identifies the content rule applicable for the entry. If no content rule is present for a structural object class, then entries associated with that object class contain only the attributes permitted by the structural object class definition.

• Because a content rule is associated with a structural object class, all entries of the same structural object class have the same content rule regardless of the their location in the DIT

• The content of an entry must be consistent with the object classes listed in the objectClass attribute of that entry. More specifically:
  • Mandatory attributes of object classes listed in the objectClass attribute must always be present in the entry

  • Optional attributes of auxiliary object classes indicated by the content rule can also be present even if the objectClass attribute does not list these auxiliary object classes.

    See Also: "Managing Content Rules" for instructions on creating and managing content rules

Schema Enforcement When Using Content Rules

When validating an object for schema consistency, the directory server uses the content rule for the structural object class of the entry. It also uses all the other object classes listed in the entry.

If more than one content rule exists for an object class, then, when adding or modifying an entry, or when bulkloading data, the following rules apply.

• An entry can have attributes from all the auxiliary object classes listed in the various content rules. Not specifying an object class in the content rule does not restrict a client from explicitly adding an auxiliary object class in directory entries.

• An entry must contain values for all the mandatory attributes listed in:
  • The content rules

  • The object classes associated with the entry

  • The auxiliary object classes listed in the content rule applicable to the entry

• Optionally, an entry can contain values for any or all the optional attributes listed in:
  • The content rule

  • The object classes listed in the entry

  • The auxiliary object classes listed in the content rule applicable for the entry

• If any attribute is specified as mandatory, then it overrides any other definition that defines it as optional.

Searches for Object Classes Listed in Content Rules

Because the auxiliary object classes listed in content rules are not listed in the objectclass attribute for an entry, you cannot list those object classes as filters when you search for entries. Instead, base your searches on the structural object class that you are interested in. If you need to base your search on an auxiliary object class, then add that auxiliary object class to the objectclass attribute in the user objects explicitly.

For example, a content rule for structural object class inetOrgPerson may specify an auxiliary object class orclUser. However, this does not mean that every inetOrgPerson entry in the directory contains orclUser as a value of the objectclass attribute. As a result, the search with the filter objectclass=orclUser fails. Instead of querying for an auxiliary object class contained in the content rule, you should query for structural object classes--for example, objectclass=inetOrgPerson.

To base a search on objectclass=orcluser, add orclUser as one of the values of objectclass attribute in each entry.

These considerations apply also to filters used in access control policies. If you are using a content rule to associate additional auxiliary object classes, then use only the structural object classes in the search filters.

Managing Content Rules

This section tells you how to manage content rules by using Oracle Directory Manager and command-line tools.

Managing Content Rules by Using Oracle Directory Manager

This section tells you how to use Oracle Directory Manager to create and modify content rules.

Creating a Content Rule by Using Oracle Directory Manager

To create a content rule:

1. In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers and directory server instance.

2. Select Schema Management.

3. In the right pane, select the Content Rules tab.

4. Choose Create. The New Content Rule dialog box appears.

5. In the New Content Rule dialog box, enter values in the appropriate fields. These fields are described in Table C-30.

6. Choose OK.

Modifying a Content Rule by Using Oracle Directory Manager

To modify a content rule:

1. In the navigator pane, expand each of the following objects in succession: Oracle Internet Directory Servers and directory server instance.

2. Select Schema Management.

3. In the right pane, select the Content Rules tab.

4. Select the content rule you want to modify, then choose Edit. The Content Rule dialog box appears.

5. In the Content Rule dialog box, enter values in the appropriate fields. The fields for this dialog box are described in Table C-31

6. Choose OK.

Managing Content Rules by Using Command-Line Tools

The format of a content rule is:

DITContentRule  ::=  SEQUENCE  {

oids                                   ALPHA-NUMERIC-OID,
structuralObjectClass      OBJECT-CLASS,
LABEL                                  CONTENT-LABEL			OPTIONAL,
auxiliaries                            SET (1..MAX) OF OBJECT-CLASS	OPTIONAL,
mandatory                              SET (1..MAX) OF ATTRIBUTE		OPTIONAL,
optional                               SET (1..MAX) OF ATTRIBUTE		OPTIONAL,

Table 6-1 describes the parameters. Note that the attribute and object class names are case-insensitive.

Table 6-1  Content Rule Parameters

Parameter	Description
oids	A unique object identifier (oids) for the content rule similar to the one for an object class or attribute defintion.It can be either numeric or alphanumeric value as long as it is unique.
LABEL	The content label of the content rule as applied in the directory
structuralObjectClass	The structural object class to which the content rule applies
auxiliaries	The auxiliary object classes allowed for an entry to which the content rule applies
mandatory	User attribute types contained in an entry to which the content rule applies. These are in addition to those mandatory attributes that the entry contains as a result of its association with its specified structural and auxiliary object classes.
optional	User attribute types that may be contained in an entry to which the content rule applies. These are in addition to those that the entry may contain as a result of its association with its specified structural and auxiliary object classes.

During the process of defining a new content rule, the directory server validates the syntax and ensures that the attributes and object classes listed in the content rule have been defined in the directory.

Content rules can be specified for structural object classes only. The name of the object class is case-insensitive.

You can specify more than one content rule for each structural object class provided the content rules have different labels associated with them.

To modify an existing definition of a content rule, the client must first delete the existing definition and then add the new definition. Simple replacement of a content rule by using the replace command is not allowed.

To delete a content rule, the client needs to specify only the structural object class and the alphanumeric object identifier of the content rule. Optionally, the client can also specify the associated version of the content rule to be deleted.