Dereferencing Alias Entries

Because entries sometimes have distinguished names that are fairly long and cumbersome, Oracle Internet Directory makes it easier to administer them by using alias objects. When someone looks up--that is, references--an object by using an alias, the alias is dereferenced, and what is returned is the object to which the alias points. For example, the alias, Server1, can be dereferenced so that it points to the fully qualified DN--namely, dc=server1,dc=us,dc=myCompnay,dc=com. This feature also enables you to devise structures that are not strictly hierarchical.

This section provides examples of how to add, search for, and modify alias entries, and it includes a list of messages. It contains these topics:

• About Alias Entries

• Examples: Using Alias Entry Dereferencing

• Success and Error Messages

About Alias Entries

An alias entry uses the object class alias to distinguish it from object entries in a directory. The definition of that object class is as follows:

(2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName)

An alias entry also contains the aliasedObjectName attribute that, in turn, contains the DN of the object to which it is pointing. The definition of that attribute is as follows:

(2.4.5.1 NAME 'aliasedObjectName" EQUALITY distinguishedNmameMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)

Figure 5-2 and the accompanying text provides an example of alias entry dereferencing.

Figure 5-2 Alias Entries Example

Text description of the illustration oidag065.gif

In Figure 5-2, ou=uk sales,ou=global sales,o=myCompany,c=us is an alias entry pointing to the ou=sales,o=myCompany,c=uk entry.

When anyone references ou=uk sales,ou=global sales,o=oracle,c=us, the directory server automatically reroutes them to the real entry, ou=sales,o=oracle,c=uk.

Examples: Using Alias Entry Dereferencing

This section contains these examples:

• Example: Adding an Alias Entry

• Examples: Searching the Directory with Alias Entries

• Example: Searching One-Level

• Example: Searching a Subtree

• Example: Modifying Alias Entries

Example: Adding an Alias Entry

To add an alias entry, you create a normal entry in LDIF and an alias entry pointing to the real entry. Following the steps in this example produces the tree in Figure 5-3.

1. Create a sample LDIF file, My_file.ldif, with the following entries:

   dn: c=us
   c: us
   objectclass: country
   
   dn: o=oracle, c=us
   o: oracle
   objectclass:organization
   
   dn: ou=Area1, c=us
   objectclass: alias
   aliasedObjectName: o=oracle, c=us
   
   dn: cn=John Doe, o=oracle, c=us
   cn: John Doe
   objectclass: person
   
   dn: cn=President, o=oracle, c=us
   objectclass: alias
   aliasedobjectname:  cn=John Doe, o=oracle, c=us
   
   

2. Add these entries to the directory by using the following command:

   ldapadd -p port -h host -f  My_file.ldif
   
   

   Note: When you add an alias entry whose parent is an alias entry, the directory server returns an error.

   See Also:  Entry Alias Dereferencing Messages for error messages

Figure 5-3 Resulting Tree when Creating the My_file.ldif

Text description of the illustration oidag064.gif

In Figure 5-3, the letter A represents an alias entry, where:

• ou=Area1 is an alias pointing to o=MyCompany

• cn=President is an alias pointing to cn=John Doe

Examples: Searching the Directory with Alias Entries

In each search you specify, there are flags you can set. The search is performed based on the flag you specify.

The flags pertaining to alias dereferencing are -a never and -a find.

By default, the dereference flag in ldapsearch is -a never and thus the directory server does not perform any dereferencing for alias entries.

Example: Searching the Base

A base search finds the top level of the alias entry you specify.

This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a find.

ldapsearch -p port -h host -b "ou=Area1,c=us"  -a find -s base "objectclass=*" 

The directory server, during the base search, looks up the base specified in the search request and returns it to the user. However, if the base is an alias entry and, as in the example, -a find is specified in the search request, then the directory server automatically dereferences the alias entry and returns the entry it points to. In this example, the search dereferences ou=Area1,c=us, which is an alias entry, and returns o=MyCompany,c=us.

Example: Searching One-Level

A one-level search finds only the child to the base level you specify.

This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a find.

ldapsearch -p port -h host -b "ou=Area1,c=us"  -a find -s one "objectclass=*"

The directory server performs the search in two steps.

1. It searches for the base that is specified in the search request.

2. When it locates the base, it looks up all one-level entries under this base and returns entries that match the filter criteria.

In the example, -a find is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), but does not dereference alias entries that are one level under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up one-level entries under o=MyCompany,c=us. One of the one-level entries is cn=President,o=MyCompany,c=us that is not dereferenced and is returned as is.

Thus, the search returns cn=President,o=MyCompany,c=us and cn=John Doe,o=MyCompany,c=us.

Example: Searching a Subtree

A subtree search finds the base, children, and grand children.

This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a find.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s one "objectclass=*" 

The directory server performs the search in two steps.

1. It searches for the base that is specified in the search request.

2. When it locates the base, then it looks up all entries under this base and returns entries that match the filter criteria.

In the example, -a find is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), but does not dereference alias entries that are under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up entries under o=MyCompany,c=us. One of the entries is cn=President,o=MyCompany,c=us that is not dereferenced and is returned as is.

Thus, the search returns:

• o=MyCompany,c=us

• cn=john doe,o=MyCompany,c=us

• cn=President,o=MyCompany,c=us

Example: Modifying Alias Entries

This example shows how to modify alias entries. It creates a sample LDIF file, My_file.ldif with following entries:

dn: cn=President, o=MyCompany, c=us
changetype : modify
replace: aliasedobjectname
aliasedobjectname:  cn=XYZ, o=MyCompany, c=us

Modify the alias entry using the following command:

ldapmodify -p port -h host -f My_file.ldif

Success and Error Messages

The following messages are returned when encountering the alias issue in the description column.

Table 5-2  Entry Alias Dereferencing Messages

Message	Meaning
Alias Problem	Either of the following have occurred: An alias was dereferenced, but it did not point to an entry in the DIT The user tries to add an alias entry whose parent is an alias
Alias Dereferencing Problem	The user cannot dereference an alias because of access control issues.
No Such Object	The server cannot find the base DN specified in the search request.
Invalid DN Syntax	When adding or modifying an alias entry, if the value specified for aliasedObjectName has invalid DN syntax, then the directory server returns this error message to the client.
Success	The client operation successfully completes. When the dereferenced target does exist but does not match the filter specified in the search request, the server returns a success message with no matched entry.
Insufficient Access Rights	The user does not have access to the dereferenced entry.