17 Managing Computed Attributes
OrclComputedAttribute attribute using LDAP command-line tools. This chapter includes the following sections:
17.1 Introduction to Computed Attributes
Beginning with 11g Release 1 (11.1.1.7.0), Oracle Internet Directory server provides the OrclComputedAttribute attribute as a mechanism to dynamically compute a configurable attribute and its value based on one or more rules. Thus, an attribute can be computed when it is actually needed, without requiring that the attribute persist in the directory store. Computed attributes can be useful in the transition from a test to a production deployment.
The OrclComputedAttribute attribute is a configuration attribute in the DSA Configuration entry:
cn=dsaconfig,cn=configsets,cn=oracle internet directory
OrclComputedAttribute is a multivalued attribute, so multiple attributes and their respective values can be computed dynamically.
An OrclComputedAttribute value can be derived from the following items, or a combination of these items, which are defined in the rules:
-
A standard LDAP URI, as defined in RFC 4516
-
A predetermined string
-
An attribute value
-
A function of an attribute value
-
Beginning with 11g Release 1 (11.1.1.9.0), you can include the
connectByclause to include attributes from two or more entries. This feature uses the underlying database functionality of the SQL CONNECT BY condition with a PRIOR expression.For example, in an organization you can use the
connectByclause to include an employee's manager information, such as mail, phone numbers, and other contact information, in the employees record without actually persisting the manager's data in the employee's record.
Considerations for using OrclComputedAttribute include:
-
The computed attribute name must be defined in the schema.
-
The computed attribute might have access control policies that prevent the return of its value.
-
Computed attributes are derived only for lookup and search operations. If the result entry has a configured computed attribute, then Oracle Internet Directory server skips computation of the attribute.
-
Update operations are allowed for removing or replacing an existing value in the entry.
17.2 Configuring Computed Attributes
You can configure OrclComputedAttribute by using LDAP tools such as ldapmodify, Oracle Directory Services Manager (ODSM), or third-party LDAP browsers.
This section describes these topics:
17.2.1 Rules and Syntax Used for Computed Attributes
You can use combination of rules to compute a value.
The rules for computed attributes use the following syntax to compute the attribute values:
OrclComputedAttribute;ComputedAttrName;dn;Filter: ldapURI OrclComputedAttribute;ComputedAttrName;dn;Filter: "anyString" OrclComputedAttribute;ComputedAttrName;dn;Filter: AttributeName OrclComputedAttribute;ComputedAttrName;dn;Filter: Func(attrName) OrclComputedAttribute;ComputedAttrName;dn;Filter: connectBy(dnAttr,Direction,Level,[computed-attribute-rules],ldapFilter)
Table 17-1 describes the elements used in these rules.
If you can use a combination of these rules to compute a value, see Using Special Characters With Rules for Computed Attributes.
Table 17-1 Syntax Elements Used in Rules for Computed Attributes
| Element | Description |
|---|---|
|
|
Name of the attribute that should be returned with the entry. The computed attribute name must be defined in the schema. The attribute is also subject to ACL evaluation after the value is computed. |
|
|
Distinguished name. The attribute is computed for child entries under this DN. |
|
|
Filter value. The attribute is computed for entries that belong to this filter value. |
|
|
URI that conforms to the syntax described in RFC 4516, as follows: ldap:///baseDN?ReqdAttribute??scope?filter
If there is a space character in the ldapURI configuration, the space must be encoded as |
|
" |
String to be included. It must be enclosed by double quote characters. |
|
|
Attribute name that indicates the value of that attribute should be used. |
|
|
Name of a function to perform on the value. The following functions are available:
Note: In case of the |
|
|
The connectBy(dnAttr,Direction,Level,[computed-attribute-rules],ldapFilter)
|
17.2.2 Using Special Characters With Rules for Computed Attributes
You can use special characters for computed attributes.
Considerations for using special characters with the rules for computed attributes include:
-
If you specify more than one rule, you must use a space character to separate each rule.
-
To append or concatenate a rule or string, use a plus sign (+).
-
To have the result of the first rule evaluation determine the value, use the OR operator (|).
-
The asterisk (*) is the wildcard character and is allowed only in
ldapURI. If this operator appears in the DN part of the URI, then * is derived from the scope of evaluating the entry's DN.
17.3 Examples of Computed Attributes Using LDAP Command-Line Tools
LDAP command-line tool is used to return the attributes with uppercase, to replace an attribute value etc.
This section provides the following examples for computed attributes:
17.3.1 Returning an Attribute Value as Uppercase
You can use upperattr to return an attribute value as uppercase.
This example computes the cn attribute as uppercase and returns the attribute as upperattr:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;upperattr;dc=acme,dc=com;objectclass=person orclcomputedattribute;upperattr;ou=EuroSInet Suite,o=IMC,c=US;objectclass=person: upper(cn)
The schema definition for upperattr must be defined.
17.3.2 Returning the Substring of an Attribute Value
You can compute the substring of an attribute by using substrattr.
This example computes the substring of the attribute value and returns the attribute substrattr with the value as description value from position 1 for the next 3 characters:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;substrattr;dc=acme,dc=com;objectclass=person orclcomputedattribute;substrattr;dc=acme,dc=com;objectclass=person: substr(description, 1,3)
17.3.3 Replacing an Attribute Value
You can replace an attribute value by using replace command.
This example computes and replaces the attribute value for newTitle:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;newTitle;cn=john doe,dc=acme,dc=com;objectclass=person orclcomputedattribute;newTitle;ou=EuroSInet Suite,o=IMC,c=US;objectclass=person: replace(title, "Clerk", "Manager")
17.3.4 Specifying a URI-Based Configuration
You can specify URI-based configuration.
This example adds commonTelephoneNumber to every entry under dc=acme,dc=com:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;commonTelephoneNumber;dc=acme,dc=com;objectclass=person orclcomputedattribute;commonTelephoneNumber;dc=acme,dc=com,c=US;objectclass=person: "Common PhoneNumber is " + ldap:///cn=common%20attributes,dc=com?telephonenumber??base?objectclass=*
17.3.5 Using a Combination of Different Rules
You can combine different rules using special characters.
Concatenate different rules using a + (plus sign) with the rules separated by a space character:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;combinationAttribute;ou=EuroSInet Suite,o=IMC,c=US;objectclass=person orclcomputedattribute;combinationAttribute;dc=acme,dc=com;objectclass=person: "telephone number from common entry:" + ldap:///cn=common Entry,?telephonenumber??base?objectclass=* + " appending replace of title attr with clerk/manager " + replace(title, "Clerk", "Manager")
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;combinationAttr2;dc=acme,dc=com;objectclass=person orclcomputedattribute;combinationAttr2;dc=acme,dc=com;objectclass=person: "Telephone number from common entry " + ldap:///cn=commonEntry,dc=acme,dc=com?telephonenumber??base?objectclass=* + " appending truncate of description for space char " + trunc(description, " ")
17.3.6 Using an OR (|) Operator
The OR operator (|) is used to get the output by checking two conditions.
Add the contactNumber attribute as telephoneNumber if the entry has the telephoneNumber attribute; otherwise, copy the value 6505067000:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;contactNumber;cn=employees,dc=acme,dc=com;(objectclass=person) orclcomputedattribute;contactNumber;cn=employees,dc=acme,dc=com;(objectclass=person): telephonenumber | 6505067000
Note:
For the OR operator (|), the computed attribute definition supports the following syntax:
definition-1 | definition-2 | ... definition-n
where:
-
definition-1 can be a complex rule.
-
definition-2 through definition-n must be a simple rule only, such as a hard-coded string or an attribute value. These definitions cannot be function expressions or a combination of expression rules.
For example, for the following rule, if the uid is not present for an entry, the result will be a computed value "cn=", regardless of the number of occurrences of the attribute cn in the entry:
orclcomputedattr;myattr;cn=employees;(objectclass=inetorgperson): "uid=" + uid | "cn=" + cn
17.3.7 Using the connectBy Interface
The example describes the value from the attribute (manager) of a target entry and then generates the AllReports computed attributes for that manager's reports for up to 10 levels downwards in the directory.
The manager's DN is:
dn: uid=Manager,ou=people,dc=us,dc=example,dc=com dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;AllReports;dc=com;objectclass=person orclcomputedattribute;AllReports;dc=com;objectclass=person:connectby(manager,0,10)
Each computed attribute includes the respective employee's uid. For example:
AllReports=uid=employee1,ou=people,dc=us,dc=example,dc=com ... AllReports=uid=employee6,ou=people,dc=us,dc=example,dc=com
The following example generates the AllManagers computed attribute for each employee up to 15 levels upwards in the directory. The DN is:
dn: uid=manager,ou=people,dc=us,dc=example,dc=com
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;AllManagers;dc=com;objectclass=person orclcomputedattribute;AllManagers;dc=com;objectclass=person: connectBy(manager,1,15, [ "EmpNum " + employeenumber + " " + upper(orclnormdn) ])
Each computed attribute includes the respective manager's employeenumber and normalized DN of the entry (orclnormdn attribute) in uppercase. For example:
AllManagers=EmpNum1 UID=NAME1,OU=PEOPLE,DC=US,DC=EXAMPLE,DC=COM ... AllManagers=EmpNum5 UID=NAME5,OU=PEOPLE,DC=US,DC=EXAMPLE,DC=COM
The following example shows the preceding example with the filter (objectclass=inetorgperson) added:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;AllManagers;dc=com;objectclass=person orclcomputedattribute;AllManagers;dc=com;objectclass=person:connectBy(manager,1,15, [ "EmpNum " + employeenumber + " " + upper(orclnormdn) ], (objectclass=inetorgperson))
17.3.8 Creating Hierarchical Groups Using connectBy
connectBy is used to create hierarchical groups.
The following example shows the connectBy clause for a recursive (hierarchical) group.
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclcomputedattribute;uniquemember;dc=com;objectclass=groupOfUniquenames orclcomputedattribute;uniquemember;dc=com;objectclass=groupOfUniquenames:connectBy(uniquemember,1,25, [uniquemember])
The following example shows a static and a hierarchical group computed by Oracle Internet Directory server. Two static group entries that contain the direct reports of the manager are added.
Given the static unique members stored in the group entry, the example returns nested results going upwards in the directory of uniquemember attributes. For example:
dn: cn=manager1_org,cn=groups,dc=us,dc=example,dc=com objectclass: groupofuniquenames objectclass: top cn: manager1_org uniquemember: uid=manager1,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp1,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp2,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp3,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp4,ou=People,dc=us,dc=example,dc=com uniquemember: cn=emp2_org,cn=groups,dc=us,dc=example,dc=com
and
dn: cn=emp2_org, cn=groups,dc=us,dc=example,dc=com objectclass: groupofuniquenames objectclass: top cn: emp2_org uniquemember: uid=emp5,ou=People,dc=us,dc=example,dc=com uniquemember: uid=emp6,ou=People,dc=us,dc=example,dc=com
When the entry "cn=manager1_org,cn=groups,dc=us,dc=example,dc=com" is searched, Oracle Internet Server server automatically computes uniquemember attributes recursively. For example:
cn=manager1,cn=groups,dc=us,dc=example,dc=com uniquemember=cn=emp2_org,cn=groups,dc=us,dc=example,dc=com uniquemember=uid=manager1,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp1,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp2,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp3,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp4,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp5,ou=people,dc=us,dc=example,dc=com uniquemember=uid=emp6,ou=people,dc=us,dc=example,dc=com