Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide

Joining Multiple Disparate Data Sources

This configuration describes an organization, Example.com, whose specific directory service requirements are met by some of the features of a virtual directory.

Data Storage Scenario

Example.com stores organizational data in multiple disparate data sources. For legacy reasons, user data is spread across an LDAP directory, a flat LDIF file, and an SQL database. The HR department stores user data in an LDAP directory, with a base DN of o=example.com. The Payroll department stores data in an SQL database. Administrative data such as departments and building numbers is stored by the administration department in an LDIF file, with a base DN of dc=example,dc=com.

In addition, Example.com has acquired a company named Company22. Company 22 also stores its user data in an LDAP directory, with a base DN of dc=company22,dc=com.

The following diagram provides a high level view of how Example.com's user data is stored.

Figure 24–2 Data Storage In Disparate Sources

Figure shows how Example.com's user data is stored in
disparate data sources

Client Application Requirements

Example.com has several LDAP client applications that require access to the data stored in the disparate data sources. The requirements of the client applications are not all the same. Different views of the data are required. In some cases, the clients require the data to be aggregated. In addition, some client applications require access to Company22's user data so that these new employees of Example.com can be administered along with the old employees.

The following diagram provides a high level view of Example.com's client application requirements.

Figure 24–3 Client Application Requirements

Figure shows the requirements of Example.com's LDAP applications

The following sections walk you through sufficient configuration Directory Proxy Server data views to meet the client application requirements described in this sample scenario. For information about how data views work, see Chapter 22, Directory Proxy Server LDAP Data Views, in Sun Java System Directory Server Enterprise Edition 6.0 Reference and Chapter 23, Virtual Data Views, in Sun Java System Directory Server Enterprise Edition 6.0 Reference.

The configuration of the sample scenario is divided into the following sections:

Aggregate Data From the HR LDAP Directory and the Administration LDIF File

The HR department stores information such as employee names, job start data, and job level. The administration department stores additional data such as building codes and office numbers. The client application that handles the HR data requires access to the combined data from both sources. Both data sources have a common attribute, the employeeNumber that exists in each entry.

The following diagram illustrates the requirements of the client application.

Figure 24–4 Aggregation of Data From LDAP Directory and LDIF File

Figure shows a join view of an LDAP directory and an
LDIF file

To fulfill this application requirement, a data view is created for the payroll directory and for the administration LDIF file. These two data views are then joined to provide access to the aggregated data. This common attribute enables Directory Proxy Server to aggregate the data for each user.

For simplicity, the commands used in this section assume the following information:

To obtain the complete syntax of each command, run the command without any options. For example:

$ dpconf create-ldap-data-view
Operands are missing
Usage: dpcfg create-ldap-data-view VIEW_NAME POOL_NAME SUFFIX_DN

ProcedureCreate and Enable an LDAP Data View for the Payroll Directory

  1. Create an LDAP data source for the payroll directory.

    $ dpconf create-ldap-data-source payroll-directory payrollHost:2389
  2. Create an LDAP data source pool for the payroll directory.

    $ dpconf create-ldap-data-source-pool payroll-pool
  3. Attach the payroll data source to the data source pool.

    $ dpconf attach-ldap-data-source payroll-pool payroll-directory
  4. Create an LDAP data view for the payroll directory.

    $ dpconf create-ldap-data-view payroll-view payroll-pool o=example.com
  5. Enable the LDAP data view so that client requests can be routed to this data view.

    $ dpconf set-ldap-data-view-prop payroll-view is-enabled:true
  6. Restart Directory Proxy Server for the changes to take effect.

    $ dpadm restart /local/myDPS

ProcedureCreate and Enable an LDIF Data View for the Administration Data

  1. Create an LDIF data view for the administration data.

    $ dpconf create-ldif-data-view admin-view example.ldif dc=example,dc=com
  2. Enable the LDIF data view for the administration data.

    $ dpconf set-ldif-data-view-prop admin-view is-enabled:true
  3. Specify that the admin view contains entries that are used by more than one entry in the payroll view.

    $ dpconf set-ldif-data-view-prop admin-view contains-shared-entries:true

    When this property is set to TRUE, deleting an entry in the payroll data view will not result in the deletion of the shared entry in the admin data view. Adding an entry to the payroll data view will only add the entry to the secondary data view if it does not already exist.

  4. Restart Directory Proxy Server for the changes to take effect.

    $ dpadm restart /local/myDPS

ProcedureJoin the Payroll Data View and the Admin Data View

  1. Create a filter join rule on the admin data view that specifies how the data should be aggregated.

    The following join rule specifies that data should be joined based on the employeeNumber attribute of the user entry.

    $ dpconf set-ldif-data-view-prop admin-view filter-join-rule:'employeeNumber=\${payroll-view.employeeNumber}'
  2. Create a join data view that aggregates the two data views.

    For the join data view, the organization uses the suffix DN dc=example,dc=com.

    $ dpconf create-join-data-view example-join-view payroll-view admin-view dc=example,dc=com

Add Data From Company 22 to Example.Com's DIT by Renaming the DN

The user data for Company 22 is stored under the DN dc=company22,dc=com. While Example.com wants to keep this user data separate in most cases, one client application needs to administer Company 22 employees along with the rest of the Example.com employees. This client application requires Company 22's user data to look like Example.com data.

The following diagram illustrates the requirements of the client application.

Figure 24–5 DN Renaming

Figure shows rename a DN to add data to a DIT

To fulfill this application requirement, a data view with a virtual DN of dc=example,dc=com is created for the Company 22's directory.

For simplicity, the commands used in this section assume the following information:

ProcedureCreate a Data View For Company 22's Directory With a Virtual DN

  1. Create an LDAP data source for Company 22's directory.

    $ dpconf create-ldap-data-source company22-directory company22Host:2389
  2. Create an LDAP data source pool for Company 22's directory.

    $ dpconf create-ldap-data-source-pool company22-pool
  3. Attach Company 22's data source to the data source pool.

    $ dpconf attach-ldap-data-source company22-pool company22-directory
  4. Create an LDAP data view for Company 22's directory with a virtual DN of dc=example,dc=com.

    $ dpconf create-ldap-data-view company22-view company22-pool dc=example,dc=com
  5. Instruct Directory Proxy Server to map this virtual DN to the real DN that is in Company 22's directory.

    $ dpconf set-ldap-data-view-prop company22-view dn-mapping-source-base-dn:dc=company22,dc=com
  6. Enable the LDAP data view for Company 22's directory so that client requests can be routed to this data view.

    $ dpconf set-ldap-data-view-prop company22-view is-enabled:true
  7. Restart Directory Proxy Server for the changes to take effect.

    $ dpadm restart /local/myDPS

Add Company 22's Data to the HR Data

The HR department requires an aggregated view of the HR data for Example.com and the newly acquired Company 22. The following diagram illustrates the requirements of the global HR application.

Figure 24–6 Aggregation of Data From Join Data View and LDAP Data View

Figure shows a complex join view of an LDAP directory
and another join view

ProcedureJoin the Example Join Data View and the Company 22 Data View

  1. Create a filter join rule on the Company 22 data view that specifies how the data should be aggregated.

    The following join rule specifies that data should be joined based on the employeeNumber attribute of the user entry.

    $ dpconf set-ldif-data-view-prop company22-view filter-join-rule:'employeeNumber=\${example-join-view.employeeNumber}'
  2. Create a join data view that aggregates Company 22's data view and Example.com's join data view.

    $ dpconf create-join-data-view global-join-view example-join-view company22-view dc=example,dc=com

Enable LDAP Clients to Access the Payroll Data in an SQL Database

Example.com's payroll department stores salary data in an SQL database. The database has two tables, and employee table and a salary table. Example.com has an LDAP client application that requires access to that data. The client application requires the SQL data to look like LDAP data.

The following diagram illustrates the requirements of the client application.

Figure 24–7 JDBC Dataview Providing Access to an SQL Database

Figure shows JDBC data view providing access to an SQL
datbase

To fulfill this application requirement, a JDBC data view is created that maps columns in the SQL tables to LDAP attributes.

For simplicity, the commands used in this section assume the following information:

ProcedureCreate a JDBC Data View For Example.com's Payroll Database

  1. Create a JDBC data source for the payroll database.

    $ dpconf create-jdbc-data-source payroll-src myPassword
  2. Configure the JDBC data source with the properties of the SQL database.

    $ dpconf set-jdbc-data-source-prop payroll-src db-user:proxy
      db-pwd:myPassword
      db-url:jdbc:payrollsqldb:payrollsql://localhost
      driver-url:file://payrollsqldb.jar
      driver-class:org.payrollsqldb.jdbcDriver
      
  3. Enable the JDBC data source.

    $ dpconf set-jdbc-data-source-prop payroll-src is-enabled:true
  4. Create a JDBC data source pool for the payroll database.

    $ dpconf create-jdbc-data-source-pool payroll-pool
  5. Attach the payroll data source to the data source pool.

    $ dpconf attach-jdbc-data-source payroll-pool payroll-src
  6. Create a JDBC data view for the payroll database, with a virtual DN of o=payroll.

    $ dpconf create-jdbc-data-view payroll-view payroll-pool o=payroll
  7. Create a JDBC table for each table in the SQL database.

    $ dpconf create-jdbc-table jdbc-employee employee
    $ dpconf create-jdbc-table jdbc-salary salary
  8. Add a JDBC attribute for each column in the SQL tables.

    $ dpconf add-jdbc-attr jdbc-employee eid employee_id
    $ dpconf add-jdbc-attr jdbc-employee first firstname
    $ dpconf add-jdbc-attr jdbc-employee last lastname
    $ dpconf add-jdbc-attr jdbc-employee description description
    $ dpconf add-jdbc-attr jdbc-employee spouse spousename
    $ dpconf add-jdbc-attr jdbc-salary salary salary
    $ dpconf add-jdbc-attr jdbc-salary social ssn
  9. Specify which attributes can be viewed and which can be written, through the JDBC data view.

    $ dpconf set-jdbc-data-view-prop payroll-view \
     viewable-attr:eid
     viewable-attr:first
     viewable-attr:last
     viewable-attr:desc
     viewable-attr:spouse
     viewable-attr:salary
     viewable-attr:social 
     $ dpconf set-jdbc-data-view-prop payroll-view \
     writable-attr:eid
     writable-attr:first
     writable-attr:last
     writable-attr:description
     writable-attr:spouse
     writable-attr:salary
    writable-attr:social
  10. Create a JDBC object class that maps to an LDAP object class.

    The following command creates an object class that maps to the LDAP person object class. The object class specifies that the employee table should be used as the primary table, and that the salary table should be used as the secondary table. The eid attribute should be used to construct the DN.

    $ dpcfg create-jdbc-object-class payroll-view \
     person jdbc-employee jdbc-salary eid
  11. Create a filter join rule on the secondary table that specifies how data from the secondary table should be linked to data from the primary table.

    The following join rule specifies that data should be joined based on the employee_id attribute.

    $ dpconf set-jdbc-table-prop jdbc-salary filter-join-rule:'employee_id=\${employee.employee_id}'
  12. Create a super class on the JDBC object class.

    $ set-jdbc-object-class-prop payroll-view person super-class:extensibleObject

Add Virtual Access Control

Access control on LDAP directories is handled by defining ACIs in the directories themselves. When data sources are accessed through virtual data views, ACIs must be defined that apply only to the data viewed through these data views.

Any access that goes through Directory Proxy Server is controlled by a connection handler. For information about connection handlers, see .

ProcedureAdd an ACI That Allows Anonymous Access

  1. Add the ACI.

    $ ldapadd -v -D "cn=proxy manager" -w password -p 389
    dn: cn=ldifonly-acis,cn=virtual access controls
    objectclass: top
    objectclass: aciSource
    cn: ldifonly-acis
    dpsaci: (targetattr="*")(version 3.0; acl "anonymous_access"; allow(all) (userdn="ldap:///anyone");)
  2. Point the connection handler to the virtual ACI.

    $ dpconf set-connection-handler-prop anonymous aci-source:ldifonly-acis
  3. Enable the connection handler.

    $ dpconf set-connection-handler-prop anonymous is-enabled:true