Aliasing

You can define an alias entry. An alias entry is identified by a distinguished name (DN). It contains the name of the directory entry it represents (the aliased object name). The alias entry and the entry it represents must be under the same root entry. For the full definition of the alias object class, refer to "Object Class Reference".

For bind and search operations, you can specify that the directory should translate an alias DN to the DN of the actual entry. This is known as dereferencing the alias. For other operations, you need to treat the alias entry as an ordinary entry and not dereference it, for example, when you modify the RDN of the alias entry itself, not of the aliased object.

Alias Entries and Searching

The result of a search or read operation involving an alias entry differs depending on whether or not you dereference the alias. Alias dereferencing is specified by the LDAP client. There are four possible settings for the alias dereference flag:

• Never dereference alias

  All operations apply to the entry with the given DN, even though the entry is an alias entry. This is the default setting.

• Dereference alias when finding base object

  The base object identifies the top of the subtree of entries to be searched. This setting means that if you specify an alias as the base object it will be dereferenced, but no other aliases encountered during the search are dereferenced.

• Dereference alias when searching

  If the operation being carried out is a search, all alias entries specified or used in the search are dereferenced, except the base object. If the result of the search is an alias entry, the aliased object is returned to the user, not the alias entry. This can sometimes lead to unexpected results from searches based on DN content, where the requested information is not present in the entries returned because the entry that contains the requested DN term is an alias entry that has been dereferenced.

• Always dereference alias

  All alias entries specified or used in the operation are dereferenced.

For example, suppose your directory contains the following pair of entries:

With alias dereferencing when searching, if you search for the telephone number of cn=personnel in the subtree o=XYZ, c=US, you will see Stan Smith's telephone number. With no alias dereferencing, you would not see any telephone number.

Defining aliases for roles is particularly useful when the person occupying a role changes frequently (the duty network manager for out-of-hours calls, for example), so that users always query the same entry. You can change the value of the aliasedObjectName with a script that runs on a schedule and calls ldapmodify to make the changes.

See the ldapsearch(1) man page for details of how to specify how alias dereferencing is used in ldapsearch.

Alias Entries and Authentication

To perform certain operations on the directory, users need to be authenticated. This is the case for modifications of directory content, or for reading the userPassword attribute of an entry. The level of access permitted is established during the bind process. For details, refer to "Binding to the Directory".

The DN supplied in a bind request can be the DN of an alias entry. With alias dereferencing, the user binds with the DN contained in the aliasedObjectName of the alias entry, and is granted the access rights defined for the entry with that DN.

Alias dereferencing during a bind operation is a configuration choice that needs to be made for the LDAP server. If aliases are not being dereferenced and the user binds with the DN of an alias entry, access is denied because the password attribute is not present. This also means that if you allow alias dereferencing, you allow users to bind without a password.

For information on specifying alias dereferencing for Sun Directory Services, refer to "Configuring LDAP Parameters".