Regular Expression based attributes in LDAP

One of the question that I get frequently asked when discussing with customers or coworkers about defining custom schema and attributes, is how to restrict the values that can be set to an attribute. From a pure LDAP standard point of view, you would need to define a new syntax and describe the valid values. Then you would need to check with the directory server's vendor or discuss with the open source developers to get the syntax implemented in the server, either in the core product, or as a plug-in extension. In the end, the easy choice goes to use a standard syntax (like DirectoryString) and let all client applications validate the values.

In OpenDS, we've choose another option. We have added support for regular expression based syntaxes, and implemented this as a syntax definition extension.

So in order to define, for example, an attribute whose values must be in the form of host:port, you simply need to define a new syntax for it with the regular expression pattern and load it in the server's schema:

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=schema
changetype: modify
add: ldapsyntaxes
ldapSyntaxes: ( 1.3.6.1.4.1.32473.1
DESC 'Host and Port in the format of HOST:PORT'
X-PATTERN '\^[a-zA-Z][.a-zA-Z0-9-]+:[0-9]+$' )

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

And then you can make use of the newly defined syntax in attributes.

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.32473.2 NAME 'test-attr-regex' SYNTAX 1.3.6.1.4.1.32473.1 )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.32473.3 NAME 'testOCregex' SUP top AUXILIARY MUST test-attr-regex)
-

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

Let's create a test entry

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=TestEntry,dc=example,dc=com
changetype: add
sn: TestEntry
cn: TestEntry
objectclass: Person

Processing ADD request for cn=TestEntry,dc=example,dc=com
ADD operation successful for DN cn=TestEntry,dc=example,dc=com
\^D

And now make use of this new attribute and objectclass:

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':

dn: cn=TestEntry,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: testOCregex
-
add: test-attr-regex
test-attr-regex: localhost:1389
-

Processing MODIFY request for cn=TestEntry,dc=example,dc=com
MODIFY operation successful for DN cn=TestEntry,dc=example,dc=com
\^D
$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=testentry,dc=example,dc=com
changetype: modify
replace: test-attr-regex
test-attr-regex: foobar.com

Processing MODIFY request for cn=testentry,dc=example,dc=com
MODIFY operation failed
Result Code: 21 (Invalid Attribute Syntax)
Additional Information: When attempting to modify entry cn=testentry,dc=example,dc=com to replace the set of values for attribute test-attr-regex, value "foobar.com" was found to be invalid according to the associated syntax: The provided value "foobar.com" cannot be parsed as a valid regex syntax because it does not match the pattern "\^[a-zA-Z][.a-zA-Z0-9-]+:[0-9]+$"

It's simple and efficient. But wait there's more to come, tomorrow.

Technorati Tags: , , , ,

Comments:

Post a Comment:
Comments are closed for this entry.
About

This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today