This chapter describes computed attributes and how to manage computed attributes by configuring the OrclComputedAttribute
attribute using LDAP command-line tools.
This chapter includes the following sections:
Beginning with 11g Release 1 (11.1.1.7.0), Oracle Internet Directory server provides the OrclComputedAttribute
attribute as a mechanism to dynamically compute a configurable attribute and its value based on one or more rules. Thus, an attribute can be computed when it is actually needed, without requiring that the attribute persist in the directory store. Computed attributes can be useful in the transition from a test to a production deployment.
The OrclComputedAttribute
attribute is a configuration attribute in the DSA Configuration entry:
cn=dsaconfig,cn=configsets,cn=oracle internet directory
OrclComputedAttribute
is a multivalued attribute, so multiple attributes and their respective values can be computed dynamically.
An OrclComputedAttribute
value can be derived from the following items, or a combination of these items, which are defined in the rules:
A standard LDAP URI, as defined in RFC 4516
A predetermined string
An attribute value
A function of an attribute value
Beginning with 11g Release 1 (11.1.1.9.0), you can include the connectBy
clause to include attributes from two or more entries. This feature uses the underlying database functionality of the SQL CONNECT BY condition with a PRIOR expression.
For example, in an organization you can use the connectBy
clause to include an employee's manager information, such as mail, phone numbers, and other contact information, in the employees record without actually persisting the manager's data in the employee's record.
Considerations for using OrclComputedAttribute
include:
The computed attribute name must be defined in the schema.
The computed attribute might have access control policies that prevent the return of its value.
Computed attributes are derived only for lookup and search operations. If the result entry has a configured computed attribute, then Oracle Internet Directory server skips computation of the attribute.
Update operations are allowed for removing or replacing an existing value in the entry.
You can configure OrclComputedAttribute
using LDAP tools such as ldapmodify
, Oracle Directory Services Manager (ODSM), or third-party LDAP browsers.
This section describes these topics:
Section 17.2.1, "Rules and Syntax Used for Computed Attributes"
Section 17.3, "Examples of Computed Attributes Using LDAP Command-Line Tools"
The rules for computed attributes use the following syntax to compute the attribute values:
OrclComputedAttribute;ComputedAttrName;dn;Filter: ldapURI OrclComputedAttribute;ComputedAttrName;dn;Filter: "anyString" OrclComputedAttribute;ComputedAttrName;dn;Filter: AttributeName OrclComputedAttribute;ComputedAttrName;dn;Filter: Func(attrName) OrclComputedAttribute;ComputedAttrName;dn;Filter: connectBy(dnAttr,Direction,Level,[computed-attribute-rules],ldapFilter)
Table 17-1 describes the elements used in these rules.
If you can use a combination of these rules to compute a value, see Section 17.2.1.1, "Using Special Characters With Rules for Computed Attributes."
Table 17-1 Syntax Elements Used in Rules for Computed Attributes
Element | Description |
---|---|
|
Name of the attribute that should be returned with the entry. The computed attribute name must be defined in the schema. The attribute is also subject to ACL evaluation after the value is computed. |
|
Distinguished name. The attribute is computed for child entries under this DN. |
|
Filter value. The attribute is computed for entries that belong to this filter value. |
|
URI that conforms to the syntax described in RFC 4516, as follows: ldap:///baseDN?ReqdAttribute??scope?filter
If there is a space character in the ldapURI configuration, the space must be encoded as |
" |
String to be included. It must be enclosed by double quote characters. |
|
Attribute name that indicates the value of that attribute should be used. |
|
Name of a function to perform on the value. The following functions are available:
Note: In case of the |
|
The connectBy(dnAttr,Direction,Level,[computed-attribute-rules],ldapFilter)
|
Considerations for using special characters with the rules for computed attributes include:
If you specify more than one rule, you must use a space character to separate each rule.
To append or concatenate a rule or string, use a plus sign (+).
To have the result of the first rule evaluation determine the value, use the OR operator (|).
The asterisk (*) is the wildcard character and is allowed only in ldapURI
. If this operator appears in the DN part of the URI, then * is derived from the scope of evaluating the entry's DN.
This section provides the following examples for computed attributes:
Section 17.3.2, "Returning the Substring of an Attribute Value"
Section 17.3.8, "Creating Hierarchical Groups Using connectBy
"
This example computes the cn
attribute as uppercase and returns the attribute as upperattr
:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;upperattr;dc=acme,dc=com;objectclass=person orclcomputedattribute;upperattr;ou=EuroSInet Suite,o=IMC,c=US;objectclass=person: upper(cn)
The schema definition for upperattr
must be defined.
This example computes the substring of the attribute value and returns the attribute substrattr with the value as description value from position 1 for the next 3 characters:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;substrattr;dc=acme,dc=com;objectclass=person orclcomputedattribute;substrattr;dc=acme,dc=com;objectclass=person: substr(description, 1,3)
This example computes and replaces the attribute value for newTitle
:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;newTitle;cn=john doe,dc=acme,dc=com;objectclass=person orclcomputedattribute;newTitle;ou=EuroSInet Suite,o=IMC,c=US;objectclass=person: replace(title, "Clerk", "Manager")
This example adds commonTelephoneNumber
to every entry under dc=acme,dc=com
:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;commonTelephoneNumber;dc=acme,dc=com;objectclass=person orclcomputedattribute;commonTelephoneNumber;dc=acme,dc=com,c=US;objectclass=person: "Common PhoneNumber is " + ldap:///cn=common%20attributes,dc=com?telephonenumber??base?objectclass=*
Concatenate different rules using a + (plus sign) with the rules separated by a space character:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;combinationAttribute;ou=EuroSInet Suite,o=IMC,c=US;objectclass=person orclcomputedattribute;combinationAttribute;dc=acme,dc=com;objectclass=person: "telephone number from common entry:" + ldap:///cn=common Entry,?telephonenumber??base?objectclass=* + " appending replace of title attr with clerk/manager " + replace(title, "Clerk", "Manager")
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;combinationAttr2;dc=acme,dc=com;objectclass=person orclcomputedattribute;combinationAttr2;dc=acme,dc=com;objectclass=person: "Telephone number from common entry " + ldap:///cn=commonEntry,dc=acme,dc=com?telephonenumber??base?objectclass=* + " appending truncate of description for space char " + trunc(description, " ")
Add the contactNumber
attribute as telephoneNumber
if the entry has the telephoneNumber
attribute; otherwise, copy the value 6505067000:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;contactNumber;cn=employees,dc=acme,dc=com;(objectclass=person) orclcomputedattribute;contactNumber;cn=employees,dc=acme,dc=com;(objectclass=person): telephonenumber | 6505067000
Note:
For the OR operator (|), the computed attribute definition supports the following syntax:
definition-1 | definition-2 | ... definition-n
where:
definition-1 can be a complex rule.
definition-2 through definition-n must be a simple rule only, such as a hard-coded string or an attribute value. These definitions cannot be function expressions or a combination of expression rules.
For example, for the following rule, if the uid is not present for an entry, the result will be a computed value "cn=", regardless of the number of occurrences of the attribute cn in the entry:
orclcomputedattr;myattr;cn=employees;(objectclass=inetorgperson): "uid=" + uid | "cn=" + cn
connectBy
InterfaceThe following example is given the value from the attribute (manager
) of a target entry and then generates the AllReports
computed attributes for that manager's reports for up to 10 levels downwards in the directory. The manager's DN is:
dn: uid=Manager,ou=people,dc=us,dc=example,dc=com dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;AllReports;dc=com;objectclass=person orclcomputedattribute;AllReports;dc=com;objectclass=person:connectby(manager,0,10)
Each computed attribute includes the respective employee's uid
. For example:
AllReports=uid=employee1,ou=people,dc=us,dc=example,dc=com ... AllReports=uid=employee6,ou=people,dc=us,dc=example,dc=com
The following example generates the AllManagers
computed attribute for each employee up to 15 levels upwards in the directory. The DN is:
dn: uid=manager,ou=people,dc=us,dc=example,dc=com
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;AllManagers;dc=com;objectclass=person orclcomputedattribute;AllManagers;dc=com;objectclass=person: connectBy(manager,1,15, [ "EmpNum " + employeenumber + " " + upper(orclnormdn) ])
Each computed attribute includes the respective manager's employeenumber
and normalized DN of the entry (orclnormdn
attribute) in uppercase. For example:
AllManagers=EmpNum1 UID=NAME1,OU=PEOPLE,DC=US,DC=EXAMPLE,DC=COM ... AllManagers=EmpNum5 UID=NAME5,OU=PEOPLE,DC=US,DC=EXAMPLE,DC=COM
The following example shows the preceding example with the filter (objectclass=inetorgperson)
added:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;AllManagers;dc=com;objectclass=person orclcomputedattribute;AllManagers;dc=com;objectclass=person:connectBy(manager,1,15, [ "EmpNum " + employeenumber + " " + upper(orclnormdn) ], (objectclass=inetorgperson))
connectBy
The following example shows the connectBy
clause for a recursive (hierarchical) group.
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;uniquemember;dc=com;objectclass=groupOfUniquenames orclcomputedattribute;uniquemember;dc=com;objectclass=groupOfUniquenames:connectBy(uniquemember,1,25, [uniquemember])
The following example shows a static and a hierarchical group computed by Oracle Internet Directory server. Two static group entries that contain the direct reports of the manager are added.
Given the static unique members stored in the group entry, the example returns nested results going upwards in the directory of uniquemember
attributes. For example:
dn: cn=manager1_org,cn=groups,dc=us,dc=example,dc=com objectclass: groupofuniquenames objectclass: top cn: manager1_org uniquemember: uid=manager1,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp1,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp2,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp3,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp4,ou=People,dc=us,dc=example,dc=com uniquemember: cn=emp2_org,cn=groups,dc=us,dc=example,dc=com
and
dn: cn=emp2_org, cn=groups,dc=us,dc=example,dc=com objectclass: groupofuniquenames objectclass: top cn: emp2_org uniquemember: uid=emp5,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp6,ou=People,dc=us,dc=example,dc=com
When the entry "cn=manager1_org,cn=groups,dc=us,dc=example,dc=com"
is searched, Oracle Internet Server server automatically computes uniquemember
attributes recursively. For example:
cn=manager1,cn=groups,dc=us,dc=example,dc=com uniquemember=cn=emp2_org,cn=groups,dc=us,dc=example,dc=com uniquemember=uid=manager1,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp1,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp2,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp3,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp4,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp5,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp6,ou=people,dc=us,dc=example,dc=com