Enumeration based attributes in LDAP

Yesterday I've explained how to restrict LDAP attribute values using Regular Expression based syntaxes, with the OpenDS directory server. There is another use case for restricting attribute values: when there is an enumerated list of possible values. It's possible to define finite list of values as a regular expression, but as we wanted to be able to provide additional values, we added in OpenDS the ability to define Enumeration based syntaxes, and we implemented it as a syntax definition extension as well.

Here's an example of use of an Enumeration syntax for the day of the week. Let's first define and load the syntax in the OpenDS directory server's schema :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=schema
changetype: modify
add: ldapsyntaxes
ldapSyntaxes: ( 1.3.6.1.4.1.32473.4 DESC 'Day Of The Week'
X-ENUM ( 'monday' 'tuesday' 'wednesday' 'thursday'
'friday' 'saturday' 'sunday' ) )

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

Let's use the syntax in an attribute, itself used in an object classes:

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.32473.5 NAME 'test-attr-enum'
SYNTAX 1.3.6.1.4.1.32473.4 )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.32473.6 NAME 'testOCenum' SUP top
AUXILIARY MUST test-attr-enum)
-

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

Let's create a test entry :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=TestEntry,dc=example,dc=com
changetype: add
sn: TestEntry
cn: TestEntry
objectclass: Person

Processing ADD request for cn=TestEntry,dc=example,dc=com
ADD operation successful for DN cn=TestEntry,dc=example,dc=com
\^D

And now, let's make use of the newly created schema objects with that test entry :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=TestEntry,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: testOCenum
-
add: test-attr-enum
test-attr-enum: monday

Processing MODIFY request for cn=TestEntry,dc=example,dc=com
MODIFY operation successful for DN cn=TestEntry,dc=example,dc=com
\^D

But if the value isn't part of the enumeration, it gets rejected :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':

dn: cn=TestEntry,dc=example,dc=com
changetype: modify
replace: test-attr-enum
test-attr-enum: Lundi

Processing MODIFY request for cn=TestEntry,dc=example,dc=com
MODIFY operation failed
Result Code: 21 (Invalid Attribute Syntax)
Additional Information: When attempting to modify entry cn=TestEntry,dc=example,dc=com to replace the set of values for attribute test-attr-enum, value "Lundi" was found to be invalid according to the associated syntax: The provided value "Lundi" cannot be parsed because it is not allowed by enumeration syntax with OID "1.3.6.1.4.1.32473.4"
$

The enumeration syntaxes, like the regular expression one, matches like a DirectoryString, that is matches using CaseIgnoreMatch equality rule.

$ bin/ldapsearch -p 1389 -D cn=directory\\ manager -w secret12 \\
-b "dc=example,dc=com" '(test-attr-enum=Monday)'

dn: cn=TestEntry,dc=example,dc=com
objectClass: Person
objectClass: top
objectClass: testOCenum
test-attr-enum: monday
cn: TestEntry
sn: TestEntry

But the biggest advantage of the Enumeration syntax is the ability to use Ordering match, which is not based on strings, but on the order of the enumerated values in the syntax definition. So "Monday" is lower than "Tuesday" which is lower than "Wednesday"...

$ bin/ldapsearch -p 1389 -D cn=directory\\ manager -w secret12 \\
-b "dc=example,dc=com" '(test-attr-enum<=Thursday)'

dn: cn=TestEntry,dc=example,dc=com
objectClass: Person
objectClass: top
objectClass: testOCenum
test-attr-enum: monday
cn: TestEntry
sn: TestEntry

I hope you will find this useful and make use of these syntaxes. To do so, you need to download and install OpenDS 2.2 Release Candidate 1 (or higher).
And if you have additional requirements with syntaxes, I'd be happy to hear about them.

Technorati Tags: , , , ,

Comments:

Hi Ludovic,

this is really a nice LDAP feature! With the regular expression, OpenDS provides a big part of what we call 'enhanced shema' in our InterLDAP project.

Do you plan to add features like attributes labels ? This can be use by an end-user application to display attributes names.

Another big feature: have a dynamic enum attribute syntax, to get the enum values from an LDAP request...

Posted by Clément OUDOT on October 20, 2009 at 04:39 AM CEST #

Clement,

Thanks for the comment.
I'm not sure I understand what you mean by attributes labels and dynamic enum attribute syntax. Could you elaborate, give details and use cases ?

Posted by Ludo on October 20, 2009 at 06:56 AM CEST #

Hi,

for example the label of 'cn' could be 'Common Name', and we can also have a description like 'The first name and the last name of a user'. An application can then use this label in CRUD forms.

For dynamic enum, imagine I have a subtree with my firm organizations. I would like to restrict the value of an attribute to these organizations.

Posted by Clément OUDOT on October 20, 2009 at 07:42 AM CEST #

Clement,

I don't think it's reasonable to add labels for "human readable forms" of attribute names when most of the time, these labels have to be translated in the client's locale and language, unless you restrict the use of the Directory service to a single language.
I'd rather have a separate dictionary stored in the Directory itself in a separated branch.

For the dynamic enum, it sounds an interesting concept. I don't know if we will implement this someday, but I'm taking note and will discuss with the rest of the team.

Posted by Ludo on October 20, 2009 at 08:04 AM CEST #

Post a Comment:
Comments are closed for this entry.
About

This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today