See: Description
Interface | Description |
---|---|
Directory |
This interface defines the primary API for directory access.
|
NodeProcessor |
This interface is used internally by the
DirectoryService to
perform tasks on the subtree or entire tree. |
Remapper |
Directory back-end interface.
|
XmlProcessor |
Interface XmlProcessor is used by
XmlRemapperIO for
processing XML document before saving and after loading. |
Class | Description |
---|---|
Attribute |
An attribute container class.
|
AttributeDefinition |
AttributeDefinition provides information about particular attribute of the
Directory node class.
|
AttributeType |
Attribute type constants and helper methods to convert them to/from string.
|
Base64 |
This class provides static methods to perform base64 encoding/decoding.
|
BitField |
BitField, a subclass of BitSet which forbids dynamic set growth.
|
BitSelector |
BitSelector, a subclass of BitField which allows only one bit set to 1 at a
time.
|
DateValue |
The main purpose of this class is to hold date value for storing/saving it
in the Directory.
|
DirectoryCopy |
This class implements a utility which provides batch mode directory editing.
|
DirectoryDiff |
This class compares two directories and reports the differences.
|
DirectoryManager |
This interface defines the primary API for directory access.
|
DirectoryResource |
Implements the "directory" abstract resource.
|
DirectoryRights |
Implements the "directory" rights objects.
|
DirectoryServer |
Provides a network accessible server for the primary API for directory
access.
|
DirectoryService |
This class implements all logic of the P2J Directory Service.
|
DirectoryService.BatchRef |
Class BatchRef is a container for the batch editing variables.
|
DirectoryService.BindRef |
This is a helper class used to clean up forgotten or improperly closed
sessions.
|
DirectoryService.NodeCopier |
Utility class which is used to copy subtree into different place.
|
DirectoryService.NodeRemover |
Utility class which is used for the cleanups after various operations.
|
DirectoryService.Rollback |
Utility class which is used for the rolling back of the transactions.
|
DirectoryService.WorkArea |
Wraps old
ContextLocal<BatchRef> activeBatch and
ContextLocal<BindRef> bound and has the purpose of
cleaning them up when needed. |
DirNode |
This class is used to hold node data - definition, attributes and list of
names of child nodes.
|
IdUtils |
A set of useful static routines to handle node and other IDs.
|
LdapMapGen |
The design of the LDAP back-end allows different modes of operation but all
of them based on the mapping information collected in some way.
|
LdapRemapper |
This class provides a mapping of the P2J Directory tree into LDAP
directory.
|
LdapSocketFactory |
Implementation of custom socket factory for use with LDAP server accessed
via TLS connection.
|
LockManager |
The purpose of this class is to maintain a set of locks where each lock is
identified by the DirectoryService ID.
|
LockManager.LockRef |
Utility class which is used to pass lock data between user and
LockManager . |
LockManagerTest |
Class LockManagerTest performs careful testing of the LockManager.
|
LockManagerTest.LockTester |
This class is used to check setting/getting of R/O locks.
|
NodeAttribute |
NodeAttribute provides information about particular DirectoryService node
attribute in its current state.
|
NodeHelper |
Defines helper methods to add, delete nodes in the directory.
|
NullDirectory |
Provides a safe placeholder that simply returns the initial value (there
is no directory lookup).
|
ObjectClass |
This class is used to hold P2J object class definition.
|
RamNode |
This class is used to hold node data in the memory.
|
RamRemapper |
Memory-only back-end implementation.
|
RemapTestDriver1 |
Simple test application.
|
SchemaLoad |
Provides a bootstrap loader for the directory schema.
|
SchemaMaping |
This class holds all schema-level mapping information for the LDAP back-end
and provides methods to read/write data from/to XML.
|
SchemaMaping.NamePair |
This class is used to store attribute mapping.
|
SchemaStorage |
Holds the set of directory object definitions (instances of
ObjectClass ) which represent the schema (structure) of the directory. |
ShadowRemapper |
This class implements an
Remapper interface which is used to
hold changes made by application during batch editing session. |
TimeValue |
The main purpose of this class is to hold time value for storing/saving it
in the Directory.
|
XmlRemapper |
The implementation of the
Remapper interface which uses XML
file as a backing storage for the directory data. |
XmlRemapperIO |
This class perform input/output of the directory tree stored in
RamRemapper and derived classes from/to backing XML file. |
Author(s) |
Nick Saxon Sergey Yevtushenko Greg Shah |
Date |
November 18, 2010 |
Access Control |
CONFIDENTIAL |
/securityLink names are case-insensitive. That means that object names must differ in more than just string case.
/security/type3/data-abc
/security/account_x
Primitive Data Type |
Java Data Type |
String Representation |
Type Name String |
integerATTR_INTEGER |
int |
decimal number |
INTEGER |
booleanATTR_BOOLEAN |
boolean |
"true" and
"false" |
BOOLEAN |
stringATTR_STRING |
String |
character string |
STRING |
doubleATTR_DOUBLE |
double |
decimal number with a "floating"
decimal point |
DOUBLE |
bytearrayATTR_BYTEARRAY |
byte[] |
hexadecimal string |
BYTEARRAY |
bitfieldATTR_BITFIELD |
BitField, a subclass of BitSet
which forbids dynamic set growth |
string of 0s and 1s, enclosed in
single quotes followed by 'B' suffix |
BITFIELD |
bitselectorATTR_BITSELECTOR |
BitSelector, a subclass of BitField
which allows only one bit set to 1 at a
time |
string of 0s and 1s, enclosed in single quotes followed by 'B' suffix | BITSELECTOR |
dateATTR_DATE |
DateValue , a class
which can be converted to and from java.util.Date , with
time part ignored and set to 0
|
string formatted as yyyy-mm-dd |
DATE |
timeATTR_TIME |
TimeValue ,
a class which can be converted to and from java.util.Date ,
with date part ignored and set to 0 |
string formatted as hh:mm:ss |
TIME |
public String[] enumerateNodes(String nodeId);This call may return
null
, which means the specified
object is either a leaf node or does not exist, or an array of object
IDs, which are relative to
the parent object ID. An absolute ID can be produced by
concatenating
the original nodeID with the '/' character and a relative ID.
Relative
IDs are just link names.public NodeAttribute[] enumerateNodeAttributes(String nodeId);This call may return
null
, which means the specified
object does not exist, or an array of node attributes. Node
attributes
are just copies of the attribute records as described in Directory
Object Classes, one per existing
attribute, completed with the number of values.
public Integer getNodeInteger(String nodeId, String name, int index);As can be seen, the first API returns a single value by its index, whereas the second API returns the whole set as an array. Both may return
public Integer[] getNodeIntegers(String nodeId, String name);
public Integer getNodeInteger(String nodeId, String name);
null
, which means the specified object or
attribute does not exist. Third method is a convenience method
for first one with index
parameter set to 0.public Attribute[] getNodeAttributes(String nodeId);This method returns
null
if the referenced object does
not exist or has no attributes. Otherwise it returns an array of Attribute
objects, which provide the following methods:public NodeAttribute getDefinition();With these methods one can query the attribute name and type, find out the number of values and query any particular value of the attribute. The value is returned as a generic object but the application can cast it to its primitive data type.
public int getCount();
public Object getValue(int index);
public boolean setNodeInteger(String nodeId, String name, int index, int value);The first API sets a single value by its index. The third API is a variation that replaces all existing values with those specified in array. The second API just adds a new value to the existing set. All return
public boolean addNodeInteger(String nodeId, String name, int value);
public boolean setNodeIntegers(String nodeId, String name, int[] value);
true
if operation succeeds. The attribute name
should be
one of the defined ones for this directory object class.public boolean setNodeAttributes(String nodeId, Attribute[] data);The array of attributes for this call can be either obtained by calling
getNodeAttributes
or constructed as in the sample code below illustrating
object creation. The new set of attributes should meet the requirements
of the object class, namely, all mandatory attributes must be present
in the array or the call fails.public boolean deleteNodeAttributeValue(String nodeId, String name, int index);If an attribute only has one value, the deletion of that sole value deletes the whole attribute. Both calls fail if they would cause a mandatory attribute to be deleted, which is not allowed.
public boolean deleteNodeAttribute(String nodeId, String name);
Attribute
s.public boolean addNode(String nodeId, String class, Attribute[] data);
// Let's assume NodeAttribute na1 and na2 were obtained previously
// na1 describes the ATTR_TIME attribute named "from"
// na2 describes the ATTR_STRING attribute named "list"
// create the 1st attribute
Attribute attr1 = new Attribute(na1, new Time());
// create the 2nd attribute
Attribute attr2 = new Attribute(na2, new String[] {"a", "b", "c"});
// create an array of attributes
Attribute[] data = new Attribute[2];
// put attributes into the array
data[0] = attr1;
data[1] = attr2;
// create a new directory object
boolean result = addNode("/groups/group_A", "namelist", data);
public boolean deleteNode(String nodeId);
public boolean openBatch(String nodeId);This call specifies a branch of the directory that should be considered busy for the lifetime of the editing session. The Directory Service uses internal batch editing lock manager to lock the specified branch and refuses request if it tries to lock a branch which is already locked by other client.
public boolean closeBatch(The disposition can be either commit the session, or discard all changes. Discarding changes is as easy as simply destroying the batch. Committing the session is done as follows:boolean disposition
);
public String getNodeClass(String nodeId);
getNodeClass("/meta")
returns "/meta/class/container". The latter
object ID
can be further used to query defined attributes and their properties.DirectoryService
classDirectoryCopy
classDirectoryService
class is the main implementation of the front-end for the production
environment. The DirectoryCopy
class is a
stand-alone utility that is used to perform backup and recovery
functions.
Schema
Definition File Format<schema-root>
<object-class name="classname" leaf="classisleaf" immutable="classimmutable">
<class-attribute name="name" type="type" mandatory="mandatory" multiple="multiple" immutable="immutable"/>
</object-class>
</schema-root>
classisleaf
is a class property (see Directory Object Classes) which
is represented as strings true
or false (case is ignored).classismutable
is reserved and must be
present as string false.name
, mandatory
,
multiple
and immutable
are
appropriate attribute properties (see see Directory Object Classes
for details) which are represented as strings true or false (case is ignored).type
represented as string
(see Primitive Directory Data Types
table for list of recognized "Type Name Strings").Remapper
interface, which has to be implemented by a back-end class. The Remapper
interface defines
methods that the front-end delegates to the back-end for
execution. There are important differences, however:Remapper
and prefix com.goldencode.p2j.directory.
Resulting name is used to instantiate class using the Java reflection
API.Remapper
interface and has a constructor which accepts a single parameter - the
instance
of BootstrapConfig
.Remapper
interface.Method Signature |
Description |
String[] getClassNames();
|
Returns an array with names
of all
defined classes. |
boolean isClassLeaf(String classname); |
Class is leaf if no other
object can be created under objects of the class. Also known as
terminal. |
boolean isClassImmutable(String classname); |
Class is immutable if the back-end does not allow any change to its state. |
AttributeDefinition[] getClassDefinition(String classname); |
Returns an array of objects
describing class attributes.
|
AttributeDefinition
s returned from getClassDefinition
method call is different from the array of NodeAttribute
s
which is part of the API. The following table lists methods of the AttributeDefinition
class.Method Signature |
Description |
String getName();
|
Returns the name of attribute. |
int getType(); |
Returns the primitive data type of the attribute encoded as an integer value ATTR_* (see Primitive Directory Data Types) |
boolean isMandatory(); |
Returns true if
attribute is mandatory. |
boolean isMultiple(); |
Returns true if
attribute can have multiple values. |
boolean isImmutable(); |
Returns true if
attribute is readonly. |
int getSize(); |
Returns exact size for fixed
size attributes and 0 for unlimited size strings. The returned value is
either the number of bytes for binary attributes, or the number of
characters. |
Method Signature |
Description |
|
Delegated calls |
|
|
|
|
AttributeDefinition[] enumerateNodeAttributes(String nodeId); |
Triggered
by the API call
|
boolean
deleteNodeAttributeValue(String nodeId, String name, int index); |
Delegated calls |
boolean
deleteNodeAttribute(String nodeId, String name); |
|
boolean addNode(String
nodeId, String class, String[] names, Object[] values); |
|
boolean
deleteNode(String nodeId); |
|
boolean moveNode(String
sourceId, String destinationId); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
configure
method to
process the configuration information. Configuration information
that is
specific to multiple back-ends can be put there.<directory>
<configuration
type="backendname"/>
<configuration class="backendclassname"/>
<class name="classname">
<attribute name="attributename">
<path value="path">
<mapping
type="backendname"/>
</path>
</attribute>
</class>
</directory>
type
and class
specify two possible
approaches to define back-end names (see Instantiation and
Initialization for details).configuration
element is a convenient way of putting
some generic back-end configuration information using XML attributes.class, attribute, path
elements using back-end specific XML attributes.
P2J Directory Operation
|
Description
|
LDAP
Operation |
---|---|---|
bind() |
Authenticates the client to the server and
creates a session
|
bind |
unbind() |
Terminates the session |
unbind |
P2J Directory Operation
|
Description
|
LDAP
Operation |
---|---|---|
enumerate...() get...() |
Makes an LDAP server search a portion of
the directory and return the requested results
|
search |
n/a
|
Checks whether a specific
attribute value exists |
compare |
P2J Directory Operation
|
Description
|
LDAP
Operation |
---|---|---|
addNode() |
Creates new objects in the directory.
|
add |
deleteNode() |
Deletes existing objects from
the directory. |
delete |
addNode...() setNode...() deleteNodeAttribute...() |
Changes the attributes and
values contained within an existing entry. New attributes can be
added
and existing attributes can be deleted. |
modify modify DN |
DirectoryCopy
is a stand-alone utility that instantiates
two back-ends
simultaneously. The source back-end has the full access to the
directory information. The target back-end is an empty directory
(besides the class description information).Remapper
interface and traverses the tree copying the objects with their
attributes from the source to the target. At the end, the target
directory contains a full copy of the source. Action |
Meaning for Nodes |
Meaning for Attributes |
no
access |
access is denied without further checks |
|
enumerate |
this node is visible when
enumerating children of its parent node |
this attribute is visible
when enumerating all attributes of this node |
create |
this node can be created |
a value can be set for the
previously non-existent attribute |
delete |
this node can be deleted |
the last (or the only) value
of this attribute can be deleted |
add |
a child node can be added to
this node |
another value can be added to
the existing attribute |
read |
meta class of this node can
be read |
attribute value can be read |
write |
this node is not readonly
(can change state) |
attribute value can be
modified |
Field's primitive data type | bitfield |
Is it optional or mandatory? | mandatory |
Is it variable or fixed size? | fixed |
Field's size | 7 bits |
Field's displayable label | "permissions" |
Field's descriptive text | Allowed actions |
Bitfield's array of bit names | "No
access" "Create" "Delete" "Add" "Enumerate" "Read" "Write" |
Bitfield's BitSet
of unused bits |
"0000000"; all bits are used |
Field's primitive data type | string |
Is it optional or mandatory? | optional |
Is it variable or fixed size? | variable |
Field's size | unlimited |
Field's displayable label | "condition" |
Field's descriptive text | an arbitrary logical expression
that, if present and evaluates to "false", denies access like "No
access" permission. |
Bitfield's array of bit names | n/a |
Bitfield's BitSet
of unused bits |
n/a |
Method Signature |
Description |
public String getName();
|
Returns the name of attribute. |
public int getType(); |
Returns the primitive data type of the attribute encoded as an integer value ATTR_* (see Primitive Directory Data Types) |
public boolean isMandatory(); |
Returns true if
attribute is mandatory. |
public boolean isMultiple(); |
Returns true if
attribute can have multiple values. |
public int getCount(); |
Returns the number of values
assigned to the attribute. |
Method Signature |
Description |
public NodeAttribute getDefinition();
|
Returns the NodeAttribute
object which describes this attribute. |
public Object getValue(int index); |
Returns the indexed value of
the attribute as a generic object, that can be cast into its primitive
data type, or null if requested value doesn't exist. |
public boolean addValue(Object value); |
Adds new value to the
set. The attribute should either allow multiple values or
currently have no value. Returns true
if
successful. |
public boolean setValue(int index, Object value); |
Replaces the indexed
value. Returns true if
successful. |
public boolean deleteValue(int index); |
Deletes the indexed value. If
it is the only value, the attribute should be optional. Returns true
if
successful. |
public int getCount(); |
Returns the number of values
currently assigned to the attribute. |
Method Signature |
Description |
public static DirectoryService
createInstance(BootstrapConfig); |
Creates and returns an instance of DirectoryService class. |
public static DirectoryService
getInstance();
|
Returns an existing instance of
DirectoryService class. |
public boolean bind (); |
Opens a session with the
Directory Service. Only one session can be open per client at a
time. |
public String
getServerId();
|
Returns the server
identification string from the bootstrap configuration. |
public boolean unbind (); |
Closes the currently open
session with the Directory Service. |
Method Signature |
Description |
public String[]
enumerateNodes(String nodeId); |
Returns an array of object IDs
for all children of nodeId object. |
public NodeAttribute[] enumerateNodeAttributes(String nodeId); |
Returns an array of attribute
definitions for all existing attributes of nodeId object. |
Method Signature | Description |
|
These methods
take the object ID, attribute name and attribute value index and return
an object that represents the selected value of the attribute, or null
if query fails. Single valued attributes should be queried as
index
0.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These methods
take the object ID and attribute name ad return an array of objects
representing all existing values of the attribute, or null
if query fails. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Returns the entire set of
attributes with all their values, or null
if query fails. |
Method Signature | Description |
|
These methods
take an object ID, attribute name, attribute value index and a value
and change the indexed value of the attribute. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These methods take an object ID, attribute name, and a new value and the value to the existing set. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These methods
take an object ID, attribute name, and an array of new values and
replace the existing values with the new ones. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Replaces all attributes with a new set at once. Operation fails if the new set of attributes does not include all mandatory ones. |
Method Signature |
Description |
public boolean deleteNodeAttributeValue(String nodeId, String name, int index);
|
Takes an object ID, attribute
name, and value index and deletes the indexed attribute value. |
public boolean deleteNodeAttribute(String nodeId, String name); |
Takes an object ID and attribute
name and deletes the whole attribute. |
Method Signature |
Description |
public boolean addNode(String nodeId, String class, Attribute[] data);
|
Takes an object ID of a parent
object, object class name, and arrays of attribute names and values and
creates a new object. Operation fails if
the set of attributes does not include all mandatory ones. |
public boolean deleteNode(String nodeId); |
Takes an object ID and deletes
the specified object. |
public boolean moveNode(String nodeId, String newId); |
Moves or renames the existing
object, specified by nodeId. The parent object of the newId should
exist and allow for children creation. |
Method Signature |
Description |
public String getNodeClass(String nodeId); |
Takes an object ID and returns the object ID of the metaclass object. |
Method Signature |
Description |
public
boolean openBatch(String nodeId) ;
|
Returns true
if an editing batch has been opened. Fails if another batch is
open for
the calling security context or if the specified branch is already busy. |
public
boolean isEditing() ;
|
Returns true
if an editing batch is currently open. |
public boolean
closeBatch(boolean disposition); |
Closes the currently open
editing batch. The disposition parameter tells what to do with
the
closed batch:
true
if the requested disposition has been successfully applied. |
Predefined Object
ClassesClass Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"container" |
The simplest directory object class. The
only function of containers is to be a parent to its children
objects.
Class defines no attributes. |
|||||
"terminal" |
+ |
The simplest directory object class. The only function of terminals is to represent a valid object ID. Class defines no attributes. | ||||
"metaclass" |
This class describes directory object classes | |||||
attrname |
string |
+ |
+ |
attribute names |
||
attrtype |
integer |
+ |
+ |
encoded attribute types |
||
attropt |
boolean |
+ |
+ |
mandatory/optional |
||
attrmult |
boolean |
+ |
+ |
multiple/single valued |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"integer" |
Named integer value class |
|||||
value |
integer |
+ |
value |
|||
"boolean" |
Named boolean value class |
|||||
value |
boolean |
+ |
value |
|||
"string" |
Named string value class |
|||||
value |
string |
+ |
value |
|||
"bytes" |
Named bytearray value class |
|||||
value |
bytearray |
+ |
value |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"integerOption" |
Named integer value class |
|||||
option |
integer |
value |
||||
"booleanOption" |
Named boolean value class |
|||||
option | boolean |
value |
||||
"stringOption" |
Named string value class |
|||||
option | string |
value |
||||
"bytesOption" |
Named bytearray value class |
|||||
option | bytearray |
value |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"integers" |
Named integer value class |
|||||
values |
integer |
+ |
values |
|||
"booleans" |
Named boolean value class |
|||||
values |
boolean |
+ |
values |
|||
"strings" |
Named string value class |
|||||
values | string |
+ |
valuess |
|||
"bytess" |
Named bytearray value class |
|||||
values | bytearray |
+ |
values |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"user" |
+ |
Defines a user account. Object name is the
user ID. |
||||
person |
string |
user name |
||||
alias |
string |
associates this account with X.509 certificate | ||||
password |
bytearray |
hashed password |
||||
pwsetdate | date |
date password was set; may be used for aging | ||||
pwsettime | time |
time password was set; may be used for aging | ||||
groups | string |
+ |
groups this user is assigned to | |||
mode |
integer |
authentication mode override |
||||
"group" |
+ |
Defines a group account. Object name is
the group ID. |
||||
description |
string |
group description |
||||
"process" |
+ |
Defines a process account. Object name is
the process ID. |
||||
description |
string |
description |
||||
server | boolean |
defines process role as server (true) or application (false or omitted) | ||||
master |
boolean |
if set to true for a server, the server is a master server | ||||
alias |
string |
associates this account with X.509 certificate and, optionally, PKCS#8 private key | ||||
secret | bytearray |
secret key servers use to access keystore |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"auditDecision" |
+ |
Defines audit modes for security decisions |
||||
success |
boolean |
if set to true, audits granted accesses | ||||
failure |
boolean |
if set to true, audits denied accesses | ||||
"auditResource" |
+ |
Defines auditing per resource instance | ||||
instances | string |
+ |
optional resource instance names | |||
requests | integer |
+ |
optional requested rights |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"binding" |
+ |
Defines an association between multiple
subjects and resource instances. Object names are sequential. |
||||
subjects |
string |
+ |
+ |
list of subject names (object names for user, group and process) | ||
reftype |
boolean |
+ |
+ |
one flag per reference; true - the reference refers to a specific resource instance false - the reference refers to a match string |
||
reference |
string |
+ |
+ |
list of references to
resource instance names or match strings (regular expressions) that
specify a match to multiple resource instance names |
||
"systemRights" |
Defines access rights object for the "system" resource type. Object names are sequential. | |||||
check |
string |
+ |
user-defined logical expression
that must evaluate true for access to be granted |
|||
"directoryRights" |
Defines access rights object for the "directory" resource type. Object names are sequential. | |||||
permissions |
bitfield |
+ |
7-bit bitfield, NCDAERW |
|||
condition |
string |
optional logical expression that
must evaluate true for the access defined in the attribute named
"permissions" to be granted |
||||
"netRights" |
Defines access rights object for the "net" resource type. Object names are sequential. | |||||
permissions | bitfield | + |
4-bit bitfield, NRWX |
|||
"adminRights" |
Defines access rights object for the "net" resource type. Object names are sequential. | |||||
type |
integer |
+ |
type defines the meaning of the permissions |
|||
permissions |
bitfield |
+ |
type ADMT_PATH: 2-bit bitfield NU |
|||
type ADMT_USER: 8-bit bitfield NEPGRWCD |
Class Name |
Terminal |
Attribute Name |
Primitive Type |
Mandatory |
Multivalued |
Comments |
"authMode" |
+ |
Defines authorization mode details | ||||
anonymous | string |
name for anonymous account; if omitted, no anonymous connection allowed | ||||
mode |
integer |
+ |
authorization mode | |||
plugin |
string |
optional authorization hook name | ||||
option |
string |
optional authorization hook parameters | ||||
retries |
integer |
optional authrntication retries
mode |
||||
"lock" |
+ |
Defines a directory lock object. Object name is the process ID of the server who created this object. | ||||
backed-up | boolean |
if present and set to true, backup is available | ||||
backupId |
string |
the location of the backup
created before applying changes |
###########################################################################
# #
# GCD P2J Directory Schema #
# #
###########################################################################
# Macros ------------------------------------------------------------------
objectidentifier GCD 1.1
objectidentifier GCD.P2J GCD:2
objectidentifier GCD.P2J.OC GCD.P2J:1
objectidentifier GCD.P2J.At GCD.P2J:2
#---- attributes ----------------------------------------------------------
#---- basic attribute types -----------------
attributetype ( GCD.P2J.At:1 NAME 'gcdInteger'
DESC 'P2J directory integers attribute'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( GCD.P2J.At:2 NAME 'gcdIntegers'
DESC 'P2J directory integers attribute'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)
attributetype ( GCD.P2J.At:3 NAME 'gcdBoolean'
DESC 'P2J directory boolean attribute'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
attributetype ( GCD.P2J.At:4 NAME 'gcdBooleans'
DESC 'P2J directory booleans attribute'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7)
attributetype ( GCD.P2J.At:5 NAME 'gcdString'
DESC 'P2J directory string attribute'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( GCD.P2J.At:6 NAME 'gcdStrings'
DESC 'P2J directory strings attribute'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( GCD.P2J.At:7 NAME 'gcdByteArray'
DESC 'P2J directory bytearray attribute'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )
attributetype ( GCD.P2J.At:8 NAME 'gcdByteArrays'
DESC 'P2J directory bytearrays attribute'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
attributetype ( GCD.P2J.At:9 NAME 'gcdBitField'
DESC 'P2J directory bitfield attribute'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
SINGLE-VALUE )
attributetype ( GCD.P2J.At:10 NAME 'gcdBitFields'
DESC 'P2J directory bitfields attribute'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6)
attributetype ( GCD.P2J.At:11 NAME 'gcdBitSelector'
DESC 'P2J directory bitselector attribute'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
SINGLE-VALUE )
attributetype ( GCD.P2J.At:12 NAME 'gcdBitSelectors'
DESC 'P2J directory bitselectors attribute'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6)
attributetype ( GCD.P2J.At:13 NAME 'gcdDate'
DESC 'P2J directory date attribute'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( GCD.P2J.At:14 NAME 'gcdDates'
DESC 'P2J directory dates attribute'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( GCD.P2J.At:15 NAME 'gcdTime'
DESC 'P2J directory time attribute'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( GCD.P2J.At:16 NAME 'gcdTimes'
DESC 'P2J directory times attribute'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
# No replacement for the Double.
#---- derived attribute types -----------------
attributetype ( GCD.P2J.At:100 NAME 'gcdAuditDecisionSuccess' SUP gcdBoolean)
attributetype ( GCD.P2J.At:101 NAME 'gcdAuditDecisionFailure' SUP gcdBoolean)
attributetype ( GCD.P2J.At:102 NAME 'gcdAuditResourceType' SUP gcdString)
attributetype ( GCD.P2J.At:103 NAME 'gcdAuditResourceInstances' SUP gcdStrings)
attributetype ( GCD.P2J.At:104 NAME 'gcdAuditResourceRequests' SUP gcdIntegers)
attributetype ( GCD.P2J.At:105 NAME 'gcdAuthModeAnonymous' SUP gcdString)
attributetype ( GCD.P2J.At:106 NAME 'gcdAuthModeMode' SUP gcdInteger)
attributetype ( GCD.P2J.At:107 NAME 'gcdAuthModePlugin' SUP gcdString)
attributetype ( GCD.P2J.At:108 NAME 'gcdAuthModeOption' SUP gcdString)
attributetype ( GCD.P2J.At:109 NAME 'gcdBindingReftype' SUP gcdBoolean)
attributetype ( GCD.P2J.At:110 NAME 'gcdBindingReference' SUP gcdString)
attributetype ( GCD.P2J.At:111 NAME 'gcdBooleanValue' SUP gcdBoolean)
attributetype ( GCD.P2J.At:112 NAME 'gcdBooleanOptionOption' SUP gcdBoolean)
attributetype ( GCD.P2J.At:113 NAME 'gcdBooleansValues' SUP gcdBooleans)
attributetype ( GCD.P2J.At:114 NAME 'gcdBytesValue' SUP gcdByteArray)
attributetype ( GCD.P2J.At:115 NAME 'gcdBytesOptionOption' SUP gcdByteArray)
attributetype ( GCD.P2J.At:116 NAME 'gcdBytessValues' SUP gcdByteArrays)
attributetype ( GCD.P2J.At:117 NAME 'gcdDateOptionOption' SUP gcdDate)
attributetype ( GCD.P2J.At:118 NAME 'gcdDatesValues' SUP gcdDates)
attributetype ( GCD.P2J.At:119 NAME 'gcdDirectoryRightsPermissions' SUP gcdBitField)
attributetype ( GCD.P2J.At:120 NAME 'gcdDirectoryRightsCondition' SUP gcdString)
attributetype ( GCD.P2J.At:121 NAME 'gcdGroupDescription' SUP gcdString)
attributetype ( GCD.P2J.At:122 NAME 'gcdIntegerValue' SUP gcdInteger)
attributetype ( GCD.P2J.At:123 NAME 'gcdIntegerOptionOption' SUP gcdInteger)
attributetype ( GCD.P2J.At:124 NAME 'gcdIntegersValues' SUP gcdIntegers)
attributetype ( GCD.P2J.At:125 NAME 'gcdLockBackedUp' SUP gcdBoolean)
attributetype ( GCD.P2J.At:126 NAME 'gcdLockBackupId' SUP gcdString)
attributetype ( GCD.P2J.At:127 NAME 'gcdNetRightsPermissions' SUP gcdBitField)
attributetype ( GCD.P2J.At:128 NAME 'gcdProcessDescription' SUP gcdString)
attributetype ( GCD.P2J.At:129 NAME 'gcdProcessServer' SUP gcdBoolean)
attributetype ( GCD.P2J.At:130 NAME 'gcdProcessMaster' SUP gcdBoolean)
attributetype ( GCD.P2J.At:131 NAME 'gcdProcessAlias' SUP gcdString)
attributetype ( GCD.P2J.At:132 NAME 'gcdProcessSecret' SUP gcdByteArray)
attributetype ( GCD.P2J.At:133 NAME 'gcdStringValue' SUP gcdString)
attributetype ( GCD.P2J.At:134 NAME 'gcdStringOptionOption' SUP gcdString)
attributetype ( GCD.P2J.At:135 NAME 'gcdStringsValues' SUP gcdStrings)
attributetype ( GCD.P2J.At:136 NAME 'gcdSystemRightsCheck' SUP gcdString)
attributetype ( GCD.P2J.At:137 NAME 'gcdUserPerson' SUP gcdString)
attributetype ( GCD.P2J.At:138 NAME 'gcdUserAlias' SUP gcdString)
attributetype ( GCD.P2J.At:139 NAME 'gcdUserPassword' SUP gcdByteArray)
attributetype ( GCD.P2J.At:140 NAME 'gcdUserPwsetdate' SUP gcdDate)
attributetype ( GCD.P2J.At:141 NAME 'gcdUserPwsettime' SUP gcdTime)
attributetype ( GCD.P2J.At:142 NAME 'gcdUserGroups' SUP gcdStrings)
attributetype ( GCD.P2J.At:143 NAME 'gcdUserMode' SUP gcdInteger)
#---- object classes --------------------------------------------------------
# auditDecision
objectclass ( GCD.P2J.OC:1 NAME 'gcdAuditDecision'
DESC 'P2J auditDecision class'
SUP top STRUCTURAL
MUST cn
MAY (gcdAuditDecisionSuccess $ gcdAuditDecisionFailure))
# auditResource
objectclass ( GCD.P2J.OC:2 NAME 'gcdAuditResource'
DESC 'P2J auditResource class'
SUP top STRUCTURAL
MUST (cn $ gcdAuditResourceType)
MAY (gcdAuditResourceInstances $ gcdAuditResourceRequests))
# authMode
objectclass ( GCD.P2J.OC:3 NAME 'gcdAuthMode'
DESC 'P2J authMode class'
SUP top STRUCTURAL
MUST (cn $ gcdAuthModeMode)
MAY (gcdAuthModeAnonymous $ gcdAuthModePlugin $ gcdAuthModeOption))
# binding
objectclass ( GCD.P2J.OC:4 NAME 'gcdBinding'
DESC 'P2J binding class'
SUP top STRUCTURAL
MUST (cn $ gcdBindingReftype $ gcdBindingReference))
# boolean
objectclass ( GCD.P2J.OC:5 NAME 'gcdBoolean'
DESC 'P2J boolean class'
SUP top STRUCTURAL
MUST (cn $ gcdBooleanValue))
# booleanOption
objectclass ( GCD.P2J.OC:6 NAME 'gcdBooleanOption'
DESC 'P2J booleanOption class'
SUP top STRUCTURAL
MUST cn
MAY gcdBooleanOptionOption)
# booleans
objectclass ( GCD.P2J.OC:7 NAME 'gcdBooleans'
DESC 'P2J booleans class'
SUP top STRUCTURAL
MUST cn
MAY gcdBooleansValues)
# bytes
objectclass ( GCD.P2J.OC:8 NAME 'gcdBytes'
DESC 'P2J bytes class'
SUP top STRUCTURAL
MUST (cn $ gcdBytesValue))
# bytesOption
objectclass ( GCD.P2J.OC:9 NAME 'gcdBytesOption'
DESC 'P2J bytesOption class'
SUP top STRUCTURAL
MUST cn
MAY gcdBytesOptionOption)
# bytess
objectclass ( GCD.P2J.OC:10 NAME 'gcdBytess'
DESC 'P2J bytess class'
SUP top STRUCTURAL
MUST cn
MAY gcdBytessValues)
# container
objectclass ( GCD.P2J.OC:11 NAME 'gcdContainer'
DESC 'P2J container class'
SUP top STRUCTURAL
MUST cn)
# dateOption
objectclass ( GCD.P2J.OC:12 NAME 'gcdDateOption'
DESC 'P2J dateOption class'
SUP top STRUCTURAL
MUST cn
MAY gcdDateOptionOption)
# dates
objectclass ( GCD.P2J.OC:13 NAME 'gcdDates'
DESC 'P2J dates class'
SUP top STRUCTURAL
MUST cn
MAY gcdDatesValues)
# directoryRights
objectclass ( GCD.P2J.OC:14 NAME 'gcdDirectoryRights'
DESC 'P2J directoryRights class'
SUP top STRUCTURAL
MUST (cn $ gcdDirectoryRightsPermissions)
MAY gcdDirectoryRightsCondition)
# group
objectclass ( GCD.P2J.OC:15 NAME 'gcdGroup'
DESC 'P2J group class'
SUP top STRUCTURAL
MUST cn
MAY gcdGroupDescription)
# integer
objectclass ( GCD.P2J.OC:16 NAME 'gcdInteger'
DESC 'P2J integer class'
SUP top STRUCTURAL
MUST (cn $ gcdIntegerValue))
# integerOption
objectclass ( GCD.P2J.OC:17 NAME 'gcdIntegerOption'
DESC 'P2J integerOption class'
SUP top STRUCTURAL
MUST cn
MAY gcdIntegerOptionOption)
# integers
objectclass ( GCD.P2J.OC:18 NAME 'gcdIntegers'
DESC 'P2J integers class'
SUP top STRUCTURAL
MUST cn
MAY gcdIntegersValues)
# lock
objectclass ( GCD.P2J.OC:19 NAME 'gcdLock'
DESC 'P2J lock class'
SUP top STRUCTURAL
MUST cn
MAY (gcdLockBackedUp $ gcdLockBackupId))
# netRights
objectclass ( GCD.P2J.OC:20 NAME 'gcdNetRights'
DESC 'P2J netRights class'
SUP top STRUCTURAL
MUST (cn $ gcdNetRightsPermissions))
# process
objectclass ( GCD.P2J.OC:21 NAME 'gcdProcess'
DESC 'P2J process class'
SUP top STRUCTURAL
MUST cn
MAY (gcdProcessDescription $ gcdProcessServer $ gcdProcessMaster $ gcdProcessAlias $ gcdProcessSecret))
# string
objectclass ( GCD.P2J.OC:22 NAME 'gcdString'
DESC 'P2J string class'
SUP top STRUCTURAL
MUST (cn $ gcdStringValue))
# stringOption
objectclass ( GCD.P2J.OC:23 NAME 'gcdStringOption'
DESC 'P2J stringOption class'
SUP top STRUCTURAL
MUST cn
MAY gcdStringOptionOption)
# strings
objectclass ( GCD.P2J.OC:24 NAME 'gcdStrings'
DESC 'P2J strings class'
SUP top STRUCTURAL
MUST cn
MAY gcdStringsValues)
# systemRights
objectclass ( GCD.P2J.OC:25 NAME 'gcdSystemRights'
DESC 'P2J systemRights class'
SUP top STRUCTURAL
MUST (cn $ gcdSystemRightsCheck))
# terminal
objectclass ( GCD.P2J.OC:26 NAME 'gcdTerminal'
DESC 'P2J terminal class'
SUP top STRUCTURAL
MUST cn)
# user
objectclass ( GCD.P2J.OC:27 NAME 'gcdUser'
DESC 'P2J user class'
SUP top STRUCTURAL
MUST uid
MAY (gcdUserPerson $ gcdUserAlias $ gcdUserPassword $ gcdUserPwsetdate $ gcdUserPwsettime $ gcdUserGroups $ gcdUserMode))
## end of schema
Attribute |
Description |
||||||||
mapping-mode |
Mode of the operation: perform
schema-level mapping only or both, schema-mapping and node-level
mappings. |
||||||||
ulr |
LDAP server URL. URL format is
dictated by the JNDI interface and looks so: protocol://host-name[:port]/ldap-root Where:
|
||||||||
principal |
The identity information used to
authenticate to the LDAP server. |
||||||||
credentials |
The password. |
||||||||
mapping-destination |
The LDAP node where resulting
mapping can be stored. If node does not exists it will be created. |
||||||||
mapping-attribute |
The attribute name where mapping
will be stored. |
||||||||
mapping-object-class |
Object class name of the LDAP
node where mapping will be stored. |
||||||||
ldap-schema-header |
The content of this attribute is
used during generation of LDAP schema file. The content is
written at the beginning of the generated files as is, without changes.
The main purpose is to provide definition of LDAP attributes used by
rest of the generated schema. |
Attribute |
Description |
ldap |
LDAP object class name. |
p2j |
P2J object class name. |
Attribute |
Description |
ldap |
LDAP object class attribute name. |
p2j |
P2J object class attribute name. |
Attribute |
Description |
ldap |
LDAP node full name. The name
may contain asterisk (*) at the
end. In this case entire subtree will be scanned recursively and mapped
into appropriate P2J subtree automatically. |
p2j |
P2J node name. |
Parameter |
Description |
<source_map.xml> | Source configuration/mapping file |
-o <output_map.xml> | File name of the output file
where generated mapping will be stored |
-u | Write mapping into LDAP
directory instead of file name |
-s <ldap.schema> | Generate LDAP schema file |
Menu
item key and parameters |
Menu
item text |
Detailed description |
. |
Print menu | Just print menu. |
b node |
Open batch for node | This command opens batch editing
session for node node. If
after space no node name is provided then batch is opened for root
node. Upon successful start of batch editing session utility
automatically opens Node Level Menu for the node node. |
b |
Back to batch node | This command can be used to
switch back to node level menu if batch editing session is already open. |
c |
Commit batch | This command commits active
editing session and updates directory with collected changes.
Regardless from the result (success or failure) current batch editing
session is closed. |
r |
Rollback batch | This command rollbacks active
editing session and throws out collected changes. Regardless from the
result of the operation current batch editing session is closed. |
q |
Quit |
Quit application. If there is
active editing session then quit is not allowed, changes must be
committed or rolled back. |
Menu
item key and parameters |
Menu
item text |
Detailed description |
. |
Print menu | Just print menu. |
l |
List attributes and nodes | Print detailed list of node
attributes and child nodes. |
t |
List attribute definitions | Print definitions of all
attributes defined for the current node object class. |
E node |
Edit node | Open Node Level Menu for child node node. New node path is set to
current node path with appended node.
This does allow to go deeper through hierarchy of the nodes. |
C node [class] |
Create child node | Create child node node of class class. If class is omitted it is requested
separately. If object class defines attributes then interaction with
the user is started. For all mandatory attributes values are requested.
Then user can add values to the attributes (both, mandatory and
ordinary). |
D node |
Delete child node | Remove node node. |
M node1 node2 |
Move node | Move node1 to node2. Parameter node1 always assumes node relative
to the current location. Parameter node2 can represent absolute node
name or node name relative to current location. If first character of
node2 is slash then absolute path is assumed. |
e attribute |
Edit node attribute | This command opens Attribute Level Menu for the
attribute attribute of current
node. |
c attribute | Create node attribute | This command creates attribute
or adds new value to the existing multi-valued attribute. |
d attribute | Delete node attribute | This command removes attribute attribute. |
q |
Quit | Return to previous menu. If
current menu was entered from Top Level Menu then control is
returned to Top Level Menu. If
current menu was entered from Node
Level Menu of parent node then control is returned to that menu. |
Menu item key and parameters | Menu item text | Detailed description |
. |
Print menu |
Just print menu. |
l |
List values | List all values of the attribute. |
e n |
Edit value n | Change value n of the attribute. |
d n |
Delete value n | Delete value n from the attribute. |
a |
Add new value | Add new value to the attribute. |
q |
Quit | Return to Node Level
Menu. |