OpenLDAP XMA - Using an anchor attribute that is not the DN RRS feed

  • General discussion

  •   ILM Knowledge Bit

    The OpenLDAP XMA that is available for download from sourceforge gives you a very robust Extensible Management Agent, allowing ILM (and FIM) to interact with many types of LDAP-compliant directory servers.

    One problem with the XMA as published is the way it handles anchor attributes: the as-is code assumes that the anchor attribute is each object's DN, which in practice is not true. E.g. for Active Directory Directory Services, the real anchor is the objectGUID attribute; for OID (Oracle Internet Directory), the real anchor is the orclGUID attribute. These attributes in general are system type of attributes, which are generated by the LDAP-compliant server themselves. More background on how ILM supports connected directories that generate their own anchor and that are managed through an Extensible Management Agent can be found in this Knowledge Bit.

    A problem that arrises when you don't work with the correct anchor attribute, is that you won't be able to do renames of objects: with the default configuration, ILM assumes the anchor is the DN of the object and therefore cannot be modified. Obviously, there are many situations in which you will want to modify the DN of an object.

    As it turns out, a small change is required to support proper renaming (or using a correct anchor attribute). The code presented below allows renaming and implements the correct anchor when connecting to OID (i.e. you'll need to update it to support a different LDAP server). It is of course possible to generalize and improve the code and discover the correct anchor much the same way the OpenLDAP XMA package discovers the schema of the connected directory on the fly.

    In the OpenLDAPUtils.cs source file, you'll find a function called ExportEntry. To support OID, you will want to update the ModificationType.Add case by the following code (the code in bold was added):

              // "Add" ModificationType
              case ModificationType.Add:
                // create a request to add the new object
                AddRequest AddRequest = new AddRequest(csentry.DN.ToString());
                // Loop through the attributes in the csentry
                // add each attribute to the add request
                foreach (string Attr in csentry)
                  if (csentry[Attr].IsPresent)
                    Da = new DirectoryAttribute(Attr);
                    // Loop through the attribute values
                    // Add them to the directoryAttribute values
                    foreach (Value val in csentry[Attr].Values)
                // Add the objectClass attribute
                Da = new DirectoryAttribute("objectclass");
                foreach (Microsoft.MetadirectoryServices.Value oc in csentry.ObjectClass)
                // Send the request through the connection
                #region // OID - get the orclGUID to define the anchor
                string[] ReturnAttributes = new string[] { "orclGUID" };
                SearchRequest Req = new SearchRequest(csentry.DN.ToString(), "(objectclass=*)", SearchScope.Base, ReturnAttributes);
                SearchResponse Resp = (SearchResponse)m_Ldap.SendRequest(Req);
                foreach (DirectoryAttribute da in Resp.Entries[0].Attributes.Values)
                  if (da.Name.ToLower() == "orclguid")
                    SortedList orderedValues = new SortedList();
                    foreach (string val in da.GetValues(typeof(string)))
                      orderedValues.Add(val.ToString(), val.ToString());
                    csentry["orclGUID"].Value = orderedValues.GetByIndex(0).ToString();
                #endregion // OID - get the orclGUID to define the anchor

    By implementing the code presented above and recompiling the XMA your object classes will now support OID correctly and allow proper renaming of objects.

    This code was tested on version 1.1 of the OpenLDAP XMA package found on sourceforge. The latest beta, that supports FIM2010 as well as ILM2007, contains code to handle anchor attributes.

    One final note: if you never need to rename the DN of an object, then you won't need to apply this change to your source.

      Go to the ILM Knowledge Bit Collection

    Monday, November 8, 2010 3:29 PM