作者:gnuhpc
出处:http://www.cnblogs.com/gnuhpc/
每个目录入口都有一组与其object class相伴的属性。IBM TDS将数据表示为名字-值这样的对儿,一个描述性属性,比如commonName(cn),或一个特定的信息,比如John Doe这个名字。这里的属性是与Object Class相同级别的属性,不是Object Class的属性。
IBMAttributeTypes属性用来描述LDAP V3标准上关于属性中没有涉及到的schema信息。它的语法如下:
IBMAttributeTypesDescription = "(" whsp
numericoid whsp
[ "DBNAME" qdescrs ] ; at most 2 names (table, column)
[ "ACCESS-CLASS" whsp IBMAccessClass whsp ]
[ "LENGTH" wlen whsp ] ; maximum length of attribute
[ "EQUALITY" whsp ] ; create index for matching rule
[ "ORDERING" whsp ] ; create index for matching rule
[ "APPROX" whsp ] ; create index for matching rule
[ "SUBSTR" whsp ] ; create index for matching rule
[ "REVERSE" whsp ] ; reverse index for substring
[ "ENCRYPT" whsp scheme whsp ] ; encryption scheme
[ "SECURE-CONNECTION-ONLY" whsp ] ; secure connection required
[ "RETURN-VALUE whsp returnValue whsp ]; value to be returned
[ "NONMATCHABLE whsp ] ; ; attribute can only be used in existence filters
whsp ")"
scheme =
"SSHA" /
"AES-128" /
"AES-192" /
"AES-256"
returnValue =
"encrypted" /
"type-only"
IBMAccessClass =
"NORMAL" / ; this is the default
"SENSITIVE" /
"CRITICAL" /
"RESTRICTED" /
"SYSTEM" /
Numericoid是用来在IBMAttributeTypes进行属性类型和值的关联的。
DBNAME:你最多指定两个名字,第一个名字是使用个这个属性的表的名称,第二个是在这个表中被完全正常化的值所在的列的名字。若只提供一个,则就是表同时也是列的名字。
ACCESS-CLASS:属性要求相似的访问权限都在class中被整合。IBM有五种属性class被用来评估用户权限,normal, sensitive, critical, system, restricted,这个字段被置空代表默认。
LENGTH:属性的最大长度,由bytes计数,
EQUALITY, ORDERING, APPROX, SUBSTR, REVERSE:若这些属性被使用了,那么一个index就会被建立。
查看属性:
idsldapsearch -b cn=schema -s base objectclass=* attributeTypes IBMAttributeTypes
增加属性:
idsldapmodify -D <admindn> -w <adminpw> -i myschema.ldif
myschema.ldif文件举例如下:
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( myAttribute-oid NAME ( 'myAttribute' )
DESC 'An attribute I defined for my LDAP application'
EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
{200} USAGE userApplications )
-
add: ibmattributetypes
ibmattributetypes: ( myAttribute-oid DBNAME ( 'myAttrTable' 'myAttrColumn' )
ACCESS-CLASS normal LENGTH 200 )
修改属性:
idsldapmodify -D <admindn> -w <adminpw> -i myschemachange.ldif
myschemachange.ldif文件内容形如:
dn: cn=schema
changetype: modify
replace: attributetypes
attributetypes: ( myAttribute-oid NAME ( 'myAttribute' ) DESC 'An attribute
I defined for my LDAP application' EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 {200} USAGE userApplications )
-
replace: ibmattributetypes
ibmattributetypes: ( myAttribute-oid DBNAME ( 'myAttrTable' 'myAttrColumn' )
ACCESS-CLASS normal LENGTH 200 EQUALITY SUBSTR )
复制一个属性:
先要看一下schema中的属性
idsldapsearch -b cn=schema -s base objectclass=* attributeTypes IBMAttributeTypes
选择你要复制的属性进行复制:
idsldapmodify -D <admindn> -w <adminpw> -i <filename>
<filename>形如:
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( <mynewattribute-oid> NAME '<mynewattribute>' DESC '<A new
attribute I copied for my LDAP application> EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 {200} USAGE userApplications )
-
add: ibmattributetypes
ibmattributetypes: ( myAttribute-oid DBNAME ( 'myAttrTable' 'myAttrColumn' )
ACCESS-CLASS normal LENGTH 200 )
删除一个属性:
idsldapmodify -D <admindn> -w <adminpw> -i myschemadelete.ldif
myschemadelete.ldif文件形如:
dn: cn=schema
changetype: modify
delete: attributetypes
attributetypes: ( myAttribute-oid )
-
delete: ibmattributetypes
ibmattributetypes: ( myAttribute-oid )
加密一个属性:
ldapmodify –D <admindn> –w <adminpw>
dn: cn=schema
changetype: modify
replace: attributetypes
attributetypes:( 0.9.2342.19200300.100.1.1 NAME 'uid' DESC 'Typically a user shortname or userid.'
EQUALITY 1.3.6.1.4.1.1466.109.114.2 ORDERING 2.5.13.3 SUBSTR 2.5.13.4
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
-
replace: IBMAttributetypes
IBMAttributetypes:( 0.9.2342.19200300.100.1.1 DBNAME( 'uid' 'uid' )
ACCESS-CLASS normal LENGTH 256 EQUALITY ORDERING SUBSTR APPROX
ENCRYPT AES256 SECURE-CONNECTION-REQUIRED RETURN-VALUE encrypted))
管理唯一属性
唯一属性确保了一个特定的属性在一个目录中总有唯一一个值。这种属性只能在两个入口中指定:cn=uniqueattributes,cn=localhost 和 cn=uniqueattributes,cn=IBMpolicies.
注意:Binary attributes, operational attributes, configuration attributes,和 the
objectclass attribute不能被指定为唯一属性。
创建唯一属性:
idsldapmodify -D <admindn> -w <adminpw> -i <filename>
文件中格式形如:
dn: cn=uniqueattributes,cn=localhost
changetype: add
ibm-UniqueAttributeTypes: sn
objectclass: top
objectclass: ibm-UniqueAttributes
要添加额外的属性:
idsldapmodify -D <admindn> -w <adminpw> -i <filename>
文件格式形如:
dn: cn=uniqueattributes,cn=localhost
cn: uniqueattributes
changetype: modify
add: ibm-UniqueAttributeTypes
ibm-UniqueAttributeTypes: AIXAdminUserId
-
add: ibm-UniqueAttributeTypes
ibm-UniqueAttributeTypes: adminGroupNames
删除一个唯一属性:
idsldapmodify -D <admindn> -w <adminpw> -i <filename>
dn: cn=uniqueattributes,cn=localhost
changetype: modify
cn: uniqueattributes
ibm-UniqueAttributeTypes: AIXAdminUserId