18 Managing Alias Entries

This chapter provides examples of how to add, search for, and modify alias entries, and it includes a list of messages. It contains these topics:

For information about attribute aliases, seeSection 21.1.5, "Understanding Attribute Aliases."

18.1 Introduction to Managing Alias Entries

Entries sometimes have distinguished names that are long and cumbersome. Oracle Internet Directory makes it easier to administer long names by using alias objects. When someone looks up—that is, references—an object by using an alias, the alias is dereferenced, and what is returned is the object to which the alias points. For example, the alias, Server1, can be dereferenced so that it points to the fully qualified DN—namely, dc=server1,dc=us,dc=myCompany,dc=com. This feature also enables you to devise structures that are not strictly hierarchical.

An alias entry uses the object class alias to distinguish it from object entries in a directory. The definition of that object class is as follows:

(2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName)

An alias entry also contains the aliasedObjectName attribute that, in turn, contains the DN of the object to which it is pointing. The definition of that attribute is as follows:

(2.4.5.1 NAME 'aliasedObjectName" EQUALITY distinguishedNmameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)

Figure 18-1 and the accompanying text provides an example of alias entry dereferencing.

Figure 18-1 Alias Entries Example

This illustration is described in the text.

In Figure 18-1, ou=uk sales,ou=global sales,o=myCompany,c=us is an alias entry pointing to the ou=sales,o=myCompany,c=uk entry.

When anyone references ou=uk sales,ou=global sales,o=oracle,c=us, the directory server automatically reroutes them to the real entry, ou=sales,o=oracle,c=uk.

18.2 Adding an Alias Entry

To add an alias entry, you create a normal entry in LDIF and an alias entry pointing to the real entry. Following the steps in this example produces the tree in Figure 18-2.

  1. Create a sample LDIF file, My_file.ldif, with the following entries:

    dn: c=us
    c: us
    objectclass: country
    
    dn: o=MyCompany, c=us
    o: MyCompany
    objectclass:organization
    
    dn: ou=Area1, c=us
    objectclass: alias
    objectclass: extensibleobject
    ou: Area1
    aliasedObjectName: o=MyCompany, c=us
    
    dn: cn=John Doe, o=MyCompany, c=us
    cn: John Doe
    sn: Doe
    objectclass: person
    
    dn: cn=President, o=MyCompany, c=us
    objectclass: alias
    objectclass: extensibleobject
    cn: President
    aliasedobjectname: cn=John Doe, o=MyCompany, c=us
    
  2. Add these entries to the directory by using the following command:

    ldapadd -p port -h host -D cn=orcladmin -q -f My_file.ldif
    

    Note:

    If you attempt to add an alias entry whose parent is an alias entry, the directory server returns an error.

Figure 18-2 Resulting Tree when Creating the My_file.ldif

Description of Figure 18-2 follows
Description of "Figure 18-2 Resulting Tree when Creating the My_file.ldif"

In Figure 18-2, the letter A represents an alias entry, where:

  • ou=Area1 is an alias pointing to o=MyCompany

  • cn=President is an alias pointing to cn=John Doe

18.3 Searching the Directory with Alias Entries

In each search you specify, there are flags you can set. The search is performed based on the flag you specify, as shown in Table 18-1.

Table 18-1 Flags for Searching the Directory with Alias Entries

Flag Search Behavior of LDAP Server

-a never

Never dereferences aliases.

-a find

Dereferences the base object in a search, but does not dereference alias entries that are under the base.

-a search

Dereferences aliases in subordinates of the base object in search but not in locating the base object of the search.

-a always

Dereferences aliases both in searching and in locating the base object of the search.


By default, the dereference flag in ldapsearch is -a never and thus the directory server does not perform any dereferencing for alias entries.

18.3.1 Searching the Base with Alias Entries

A base search finds the top level of the alias entry you specify.

Base Search with the Dereferencing Flag -a find

This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a find.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s base "objectclass=*" 

The directory server, during the base search, looks up the base specified in the search request and returns it to the user. However, if the base is an alias entry and, as in the example, -a find is specified in the search request, then the directory server automatically dereferences the alias entry and returns the entry it points to. In this example, the search dereferences ou=Area1,c=us, which is an alias entry, and returns o=MyCompany,c=us.

Base Search with the Dereferencing Flag -a search

This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a search.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a search -s base "objectclass=*" 

The directory server, during the base search, looks up the base specified in the search request and returns it to the user without dereferencing it. It returns ou=Area1,c=us.

Base Search with the Dereferencing Flag -a always

This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a always.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a always -s base "objectclass=*" 

The directory server, during the base search, looks up the base specified in the search request. If it is an alias entry, the directory server automatically dereferences the alias entry and returns the entry it points to. In this example, the search dereferences ou=Area1,c=us, which is an alias entry, and returns o=MyCompany,c=us.

18.3.2 Searching One-Level with Alias Entries

A one-level search finds only the children of the base level you specify.

One-Level Search with the Dereferencing Flag -a find

This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a find.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s one "objectclass=*"

The directory server returns one-level entries under the base that match the filter criteria. In the example, -a find is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), but does not dereference alias entries that are one level under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up one-level entries under o=MyCompany,c=us. One of the one-level entries is cn=President,o=MyCompany,c=us that is not dereferenced and is returned as is.

Thus, the search returns cn=President,o=MyCompany,c=us and cn=John Doe,o=MyCompany,c=us.

One-Level Search with the Dereferencing Flag -a search

This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a search.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a search -s one "objectclass=*"

The directory server searches for the base that is specified in the search request. If the base entry is an alias entry, it returns nothing. (Alias entries cannot have children.) Otherwise, it returns the base entry's immediate children after dereferencing them. In this example, the base entry is "ou=Area1,c=us", which is an alias entry, so the search returns nothing

One-Level Search with the Dereferencing Flag -a always

This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a always.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a always -s one "objectclass=*"

In the example, -a always is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), then dereference alias entries that are one level under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up one-level entries under o=MyCompany,c=us. One of the one-level entries is cn=President,o=MyCompany,c=us. That is dereferenced and is returned as cn=John Doe,o=MyCompany,c=us. The other one-level entry is cn=John Doe,o=MyCompany,c=us, which has already been returned.

Thus, the search returns cn=John Doe,o=MyCompany,c=us.

18.3.3 Searching a Subtree with Alias Entries

A subtree search finds the base, children, and grand children.

Subtree Search with the Dereferencing Flag -a find

This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a find.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s sub "objectclass=*" 

The directory server returns all entries under the base that match the filter criteria. In the example, -a find is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), but does not dereference alias entries that are under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up entries under o=MyCompany,c=us. One of the entries is cn=President,o=MyCompany,c=us that is not dereferenced and is returned as is.

Thus, the search returns:

  • o=MyCompany,c=us

  • cn=John doe,o=MyCompany,c=us

  • cn=President,o=MyCompany,c=us

Subtree Search with the Dereferencing Flag -a search

This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a search.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a search -s sub "objectclass=*" 

The directory searches for the base that is specified in the search request.If the base is an alias entry, then it returns the base entry without dereferencing it. (Alias entries cannot have children.) Otherwise it returns all entries under the base. If any alias entries are found, it dereferences them and returns all entries under them as well.

In this example, the base entry is an alias entry, ou=Area1,c=us, so the directory returns ou=Area1,c=us.

Subtree Search with the Dereferencing Flag -a always

This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a always.

ldapsearch -p port -h host -b "ou=Area1,c=us" -a always -s sub "objectclass=*" 

The directory server dereferences the base entry and returns it. It also returns all entries under the dereferenced base. If any alias entries are found, it dereferences them and returns all entries under them as well.

In this example, the base entry is ou=Area1,c=us, which is dereferenced to o=MyCompany,c=us, which is returned. There are two entries under o=MyCompany,c=us. One is cn=President,o=MyCompany,c=us, which is returned and also dereferenced to cn=John Doe,o=MyCompany,c=us, which is returned. The other entry under o=MyCompany,c=us, which has already been returned. So the result is o=MyCompany,c=us and cn=John Doe,o=MyCompany,c=us.

18.4 Modifying Alias Entries

This example shows how to modify alias entries. It creates a sample LDIF file,
My_file.ldif with following entries:

dn: cn=President, o=MyCompany, c=us
changetype : modify
replace: aliasedobjectname
aliasedobjectname: cn=XYZ, o=MyCompany, c=us

Modify the alias entry using the following command:

ldapmodify -D "cn=orcladmin" -q -p port -h host -f My_file.ldif

18.5 Interpreting Messages Related to Alias Dereferencing

Table 18-2 lists the messages related to alias entry dereferencing and the corresponding meaning for each message.

Table 18-2 Entry Alias Dereferencing Messages

Message Meaning

Alias Problem

Either of the following have occurred:

  • An alias was dereferenced, but it did not point to an entry in the DIT.

  • The user tries to add an alias entry whose parent is an alias.

Alias Dereferencing Problem

The user cannot dereference an alias because of access control issues.

No Such Object

The server cannot find the base DN specified in the search request.

Invalid DN Syntax

When adding or modifying an alias entry, if the value specified for aliasedObjectName has invalid DN syntax, then the directory server returns this error message to the client.

Success

The client operation successfully completes.

When the dereferenced target does exist but does not match the filter specified in the search request, the server returns a success message with no matched entry.

Insufficient Access Rights

The user does not have access to the dereferenced entry.