Directory Development Fundamentals

About This Presentation

Title:

Directory Development Fundamentals

Description:

Operations you want to perform on eDirectory Your preferred programming language Protocol preference LDAP NDAP HTTP Novell LDAP Developer s Guide To Learn More ... – PowerPoint PPT presentation

Number of Views:283

Avg rating:3.0/5.0

Slides: 107

Provided by: NovellE6

Category:

more less

Transcript and Presenter's Notes

Title: Directory Development Fundamentals

1
Directory Development Fundamentals

Ed Shropshire
NDS Partner Programs
Novell, Inc.
eshropshire_at_novell.com

Visionone Net
A world where networks of all typescorporate
and public, intranets, extranets, and the
Internetwork together as one Net and securely
connect employees, customers, suppliers, and
partners across organizational boundaries
Mission
To solve complex business and technical
challenges with Net business solutions that
enable people, processes, and systems to work
together and our customers to profit from the
opportunities of a networked world

3
(No Transcript)
4
Deployed Versions Novell eDirectory and Novell
Directory Services (NDS)
Product Version Build Version Platforms
NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1
NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 NetWare 5.1
eDirectory 8 DS.nlm DS.dlm v8.79 NetWare 5.0,Win NT/2K
eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris
NetWare 6 (eDirectory 8.6) DS.nlm v10110.20 NetWare 6
eDirectory 8.6.1 DS v10210.43 NW 5.1,NW 6,Win,Solaris,Linux
NetWare 6 SP1 (eDirectory 8.6.2) DS.nlm v10310.17 NetWare 6
eDirectory 8.6.2 DS v103xx.xx NW 5.1,NW 6,Win,Solaris,Linux
eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX
5
Differences Between eDirectory and NDS
NDS
eDirectory
NOS directory focused on managing NetWare
servers
A cross-platform, scalable, standards-based
directory used for managing identities that
span all aspects of the networkeDirectory is
the foundation for eBusiness
NetWare 5
NetWare
NetWare 6
6
Novell one Net and eBusiness Vision
Novell provides Net services software that gives
organizations the ability to simplify the
complexities of the Net, securely extend and
integrate networks and applications between
companies and accelerate eBusiness transformations
NET Services
Novell eDirectory

NW
7
Whats New with Novell eDirectory

Novell eDirectory 8.6.1 and 8.7
Product of the YearNetwork Magazine
The NameNovell eDirectory
SunTone Certification
Partner Redistribution Program
Free eDirectory for Developers
LDAPZone
AIX
LDAP 2000 Server Brand
LDAP Java SDK
LDAP Java Beans

8
Novell eDirectory Partner Redistribution Kit
Program

Get started
Download unlimited eDirectory licenses for
development purposesvisit developer.novell.com/eD
irectory/download.htm
Get profitable
Offer commercial solutions that include FREE
250,000 user versions of eDirectory
Save each application customer up to a
half-million US dollars in up-front licensing
costs
Visit developer.novell.com/eDirectory

9
Novell eDirectory Partner Redistribution Kit
Program

OEMs/ISVs can (AT NO COST)
Distribute 250,000 eDirectory user versions with
each copy of their shipping products
Distribute full-featured versions of eDirectory
to an unlimited number of application customers
Distribute the latest Multi-OS version of
eDirectoryWindows, Sun Solaris, Linux,
NetWare, and IBM AIX (future)
Increase software/hardware/server sales
Rely on proven embedded technology
Build competitive advantage with added services
and lower up-front deployment costs

10
LDAPzone.com

Why LDAPzone?
Comprehensive
Resources and information on everything LDAP
Community
Share ideas, sample code, forums, tips and tricks
Directions
The latest LDAP news, updates and developments

www.ldapzone.com
11
Novell Developer Offerings

Support options
What can you get if you pay
Benefits 24 hour turnaround
Developer labs
Priority support
Dedicated support contacts
Certification
Solutions search
Developer labs
Developer training

12
Novell eDirectory Architecture
DirXML
OnDemandSM
SSO
iChain
eDirectory Management Framework
LDAP
NDAP
System Abstraction Layer (SAL)
Access
Utilities Repair Merge Backup
Schema
Maintenance
Security
iManage
AIX
Replication
iMonitor
???
iInstall
Storage Management Interface (SMI)
Database
eGuide
13
Net Directory Service Solutions

eDirectory
Novell Account Management
Novell Authentication Services

14
168 Applications Before Zero-Day Start
15
One Net Simplifies Business Processes
SSL
XML
IP
LDAP
16
Enlightened Workforce (Intelligent Portal)
17
The Three Views Novell eDirectory

Lets take a look at it from a different
perspective

18
What Makes It Different?

Extensible schema
Inherited rights
Multi-master replication
Filtered replica
Referential integrity
Scalable data store
Multi-protocol support (discoveryaccess
protocols)
Multi-authentication support
Developer interfaces
Platform support

19
eDirectory Features
Feature details
Filtered replica A new replica type that enables
flexible control of whats replicated Down to the
attribute level
LDAP Support LDAP v3 support including
SSL OpenLDAP SDK Improved search speed
Improved administration tools Monitoring and
repair tools in ConsoleOne ICE
(Import/Convert/Export) utility iMonitor utility
ADSI Provider Translates ADSI calls into
LDAP Apps developed to ADSI are fully supported
DirXML Support Provides foundation for
integrating network information for any system,
application, device, etc.
Cross-platform support Already runs on NetWare,
NT 4, Linux, Windows 2000 and Solaris Looking at
other UNIX and mainframe platforms (e.g AIX)
20
What is LDAP?
LDAP began life as an attempt to simplify access
to x.500 (DAP) directories, thus the name
Lightweight Directory Access Protocol

A standardized protocol for accessing X.500
directories
A version of DAP that contains less code than
DAP
An enabled client with TCP/IP access to X.500
directories
Lightweight means you dont have to manage all of
the connection overhead in your application
Lightweight doesnt mean limited access
functionality
LDAP is a client-server protocol

21
Technical LDAP Benefits

Applications can be directory-neutral
Directories can be interchanged
Note All directories are not equal

22
Overview

LDAP is a client/server access protocol
LDAP also describes a data model (ACI, Schema,
Replication)
LDAP is controlled by the IETF community
LDAP certifications
Works with LDAP (for applications) and LDAP 2000
(for servers)
Novell is a founding member of the
Interoperability Forum/Open Group

23
One Net and LDAP

Current widespread standard for access to
directory information
Core protocol used by Net services software

24
Novell eDirectory SDK

Everything to integrate with eDirectory
Libraries, tools, sample code, and documentation
Platforms (server and workstation)
NetWare
Windows 2000
NT
Windows 95/98
Solaris, Linux
http//developer.novell.com/ndk/ndssdk.htm

25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Novell ODBC Driver for eDirectory

ODBC driver specifically designed to query and
retrieve eDirectory data
Supports standard SQL statements
Makes reporting and retrieving data quick and
easy
Abstracts the directory tree into accessible
relational database tables
Hides the complexity of the underlying directory
syntax

30
How ODBC Maps eDirectory Data

Mapping eDirectory data to relational tables
eDirectory hierarchical directory data is mapped
to a flattened relational database table
eDirectory object classes correspond to the
tables
eDirectory class attributes correspond to columns
of the table
Entries correspond to rows of the table

31
Troubleshooting Novell ODBC Driver

Common problems
Insufficient resources
Select fewer attributes or specify the attributes
rather than using a wildcard to include all
attributes
Examine the attributes you select to ensure that
only a few of them are multi-valued
Restrict the number of objects selected by
specifying only one container
eDirectory rights
SQL statement errors
Use the correct table and column names in SQL
statements
Read-only access to eDirectory

32
(No Transcript)
33
Novell eDirectory LDAP Compliance

Novell LDAP SDKs fully implement
IETF draft for C Interface
draft-ietf-ldapext-c-api-05.txt
IEFT draft for Java Interface
draft-ietf-ldapext-java-api-13.txt
eDirectory supports all LDAP version 3 required
functionality
IETF RFCs 2247, 2251, 2252, 2253, 2254, 2255 and
2256
eDirectory also supports most optional
functionality

34
More About LDAP

Users given server view vs. a tree view
LDAP uses UTF-8 encoding of character strings
Allowing strings of any language to be used in
the API
LDAP servers listen on two TCP/IP ports
389Provides clear text connections
636Secure connections using SSL
An LDAP bind (connection) is an eDirectory login
LDAP requires that individual users have
passwords
No password is interpreted as an anonymous bind
Specifies no file access mechanisms
Novell eDirectory event mechanism coming soon

35
Novell Extensions to LDAP

Novell LDAP extensions
Partitionssplit, join, get number of entries,
abort operation
Replicasadd, remove, change type, list on
server, return information
Replica synchronizationto a specified server, to
all replicas, at a specified time
Schema synchronization
Get effective eDirectory rights for attributes
Get DN of logged-in caller
Restart the LDAP server

36
(No Transcript)
37
LDAP Class Libraries for Java

Now available on the Novell Developer Kit (NDK)
Conforms to the IETF LDAP Java interface
Socket, threads, queues, connection manager
Referrals
Schema management
Security SSL and SASL
Extensions and controls
Exposes additional classes and methods
ASN.1/BER Protocol Methods (APIs)

38
Benefits of LDAP Libraries for Java

Classes and methods reflect LDAP protocol
Small footprint
Easy to learn and use
Synchronous and asynchronous interfaces
Pure Java solution
Extensions for eDirectory management
Tuned and tested with eDirectory
Works with other LDAP-aware directories
SSL secured through Novell Security Technologies
Open Source available on the OpenLDAP Site
www.openldap.org

39
(No Transcript)
40
What is JNDI?

Java Naming and Directory Interface (JNDI)
An addition to JavaSofts enterprise API set
Object-oriented look and feel
Abstracted view
Naming-system neutral, enabling many different
service providers to be accessed via the same
interface
Promotes interaction between naming systems
Provider issues tend to show through
Providers may or may not be pure Java
Platform support is provider-dependent
Providers tend to be vendor-specific

41
(No Transcript)
42
Use Novell LDAP Libraries for C

Use the Novell LDAP Libraries for C vs. other
SDKs
Extensions for eDirectory management
Tuned and tested for eDirectory
Works with other LDAP-aware directories
Available on NetWare, Windows, UNIX
Supported by Novell Worldwide Developer Support
Internationalized and localized
SSL-secured through Novell Security Technologies
LDAP Libraries for C Open Source
Novell LDAP Libraries for C leverage
www.OpenLDAP.org

43
(No Transcript)
44
Novell JDBC Driver for eDirectory

Conforms to the JDBC specification
Requires the JNDI LDAP service provider for
eDirectory
Supports standard SQL statements
Abstracts the directory tree into accessible
relational database tables
Hides the complexity of the underlying directory
syntax
Provides read only access of eDirectory

45
(No Transcript)
46
Novell Controls for ActiveX

Application Administration (NWAppA)
Bindery (NWBind)
Browser (NWBrowse)
Catalog Administration (NWCatA)
Client and Server Socket (NWCliSkt and NWSvrSkt)
Directory (NWDir)
Directory Administration (NWDirA)
Directory Authenticator (NWDirAuth)
Directory Query (NWDirQ)
Internet Directory (NWIDir)
Internet Directory Query (NWIDirQ)

Internet Directory Entries (NWIDirE)
NDPS Printer Administration (NWDPPrtA)
Network Selector (NWSelect)
Peer Socket (NWPrSkt)
Print Queue Administration (NWPQA)
Print Server Administration (NWPSA)
SecretStore (NWSecStr)
Server Administration (NWSrvA)
Session Management (NWSess)
User Group (NWUsrGrp)
Volume Administration (NWVolA)

47
(No Transcript)
48
Beans for Novell eDirectory

eCommerce LDAP beans
Components for integrating web applications with
LDAP directories
Enabling authentication
Read/write directory access
Contextless login
SSL security
NDS bean
Enables access to and manipulation of eDirectory
entries
Dependent upon the Novell class libraries for
Java
Requires the Novell Client

49
Scripting Options

Third Party Scripting Options
Perl
Python
PHP
Visit LDAPZone for a complete list and
optionswww.LDAPZone.com

50
Supercharge Your Web Applications with Novell
eDirectory

Realize the benefit of using Novell eDirectory to
personalize web server applications
The objective of this seminar is to provide ideas
and examples that will assist you in developing
and deploying more powerful and flexible
web-based applications

51
Why Tie Web Applicationsto Novell eDirectory?

Enhance and strengthen business relationships
Allowing secure access to information and
applications
Provide the ability to simply and securely
provide access to personalized and sensitive
information
This may be the difference between gaining or
disappointing a customer or partner

52
Use Novell eDirectory to

Store identity profiles
Control data access
Maintain customer identity relationships
Manage user security
Manage data at the network level
Abstract service locations
Increase throughput

53
HTTP is Stateless

To enable session tracking, utilize
Realms
Browser passes user and password with each
request
Hidden form fields
Hidden input types that are not displayed when
read by the browser
Cookies
Keyed piece of data created by the server and
stored by the client browser
URL rewriting
Requested URL is modified to include a session ID
Servlet HTTPsession objects
Enables name/value pairs to be stored per session

54
Use Novell eDirectory to Track Sessions

Take advantage of GUIDs
Identify who is accessing the site
GUIDs eliminate the need to store personal data
GUIDs are globally unique across all trees and
servers
eDirectory automatically creates a GUID for each
new entry
GUIDs do not change throughout life of object
Administrators may want to create an index on
GUID to enhance response time
Operational Attribute

Globally Unique Identifiers
55
Use Novell eDirectory to Personalizethe User
Experience

Case example (CNN)
Provides worldwide news, sports, financial data
and other information
Customized and personalized advertising and
content using the GUID as a cookie
Customization is transparent to the user

56
CNN eDirectoryArchitecture
(ad-injection)
Netscape web servers on Solaris (CNN Web Farm)
(Cookie)
HTTP
LDAP Client
Internal Firewall

eDirectory on NetWare and Solaris
Development Servers
- Compaq 1850R
- 2GB RAM/72GB RAID 0
1 Intel Pro/100 Server Adapter
SUN Sparc U60
Solaris 2.6

eDirectory on NetWare 5 Load Directory Servers
Compaq 6400R
- 2GB RAM/72GB RAID 0
1 Intel Pro/100 Server Adapter

eDirectory on NetWare 5
Staging Server
- Compaq 1850R
2GB RAM/72GB RAID 0
- 1 Intel Pro/100 Server Adapter

57
Tune Your Application and eDirectory to Achieve
High Throughput

Filter the scope of data searches
Create well-formed schema extensions
Tune eDirectory
Tune memory/cache
Use proper tree design
Co-locate servers
Distributed nature of eDirectory gives better
throughput
Utilize filtered replicas
Index on critical attributes

58
Directory Services and Databases

Lets look at the strengths and weaknesses of
both
When are they exclusive of each other?
When do they compliment each other?
The whys and wherefores

59
Directory Services and Databases (cont.)

Directory Service Strengths
Fast on the read
Distributed
Object-oriented
Hierarchical
Standardized schema
Replication
Attributes can be multi-valued

Relational Database Strengths
Designed to handle transactions
Schema tuned for exact application needs
Can be modeled to handle very complex needs
Data integrity built in
Management of data failures

60
When to Use What??

Each has its own best use
Directories are used most often for
Authentication
Authorization
Personalization
RDBMSs used most often for
Transaction processing
Highly volatile data
Very complex data requirements
Examples of each usage

61
Making the Choice

Frequency of data modifications
Primary data requirements
Security
Flexibility
Model the data needs
Determine transactional requirements

62
What Is So Important About Schema?

It sets some structure
Provides a framework
Identifies syntax
SchemaData Dictionary

63
What Is in the Schema?

Object classes
Attributes types
Syntaxes
Matching rules
Naming and containment rules

64
eDirectory Has an Extensible Schema

You can extend the schema, you do not change the
schema
Create new classes
Add optional attributes
Use auxiliary classes
Delete non-base classes that do not have any
object instantiated
Delete attributes that are not used in any
classes
Schema extensions do not impact directory
performance

65
Extension Options

You can make extensions programmatically or by
using an LDIF file with the ldapmodify utility
Programmatically
Easier to control
Not as many files
LDIF
No need to recompile changes
Easy to run multiple

66
New Schema Recommendations

Determine exact purpose of new classes and
attributes
Dont define anything for future use
Remember to include the domain containment
Understand any flags you use
Use auxiliary classes whenever possible
Dont add new attributes to existing classes if
possible
Reuse/extend existing schema definitions
If small, change to existing definition
Add your attributes first, then your classes

67
Syntaxes

Define what your data looks like
Not extensible
eDirectory supports LDAP equivalence of
eDirectory syntaxes
Recommendations
For readability limit use of octet string

68
Matching Rules

Equality
Defines how two values are compared
i.e., caseIgnoreMatch
Ordering
Used to determine if a value is greater or less
than another value
SUBSTR
Defines the way substring matches work

69
Attribute Types

Attribute type is a string value
containingvarious fields
What makes up an attribute
ASN.1 id - OID acts as an unique identifier
Human readable name
A description
Matching rules
Syntax
Flag
i.e., if attribute is single valued

70
Attribute Type Example

(2.5.4.20
NAME telephone number
DESC Standard Attribute
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5032 )
(2.5.4.28
NAME preferredDeliveryMethod
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
SINGLE-Value )

71
Attribute Types

MUSTMandatory Attributes
In LDAP these are referred to as MUST
When you create an object of this type, you must
populate these attributes
Cannot add MUST attributes once objects are
created from object class
MAYOptional Attributes
In LDAP these are referred to as MAY
eDirectory does not store these attributes with
an object unless they have a value
You can add more optional attributes to a class
after the class is created

72
LDAP Attribute Options

NO-USER-MODIFICATION
Equivalent to non-removable in eDirectory
SINGLE-VALUE
Default multi-valued
Upper Bound
Specified after syntax within

73
Operational Attributes

Standard
modifyTimeStamp
createTimeStamp
modifersName
creatorsName
subschemaSubEntry
eDirectory-Specific
structuralObjectClass (baseClass)
subordinateCount
entryFlags

74
Object Class Types

Structuraldefault
Used to create entries
Abstract
Building block class
Used for sub-classing
Auxiliary
Used to add attributes to existing entries
If type is not specified, default will be
structural

75
Object Class Definition

ASN.1 id - Object ID (OID)
Human readable name
List of superior object classes
Identifier
List of required (MUST) attributes
List of optional (MAY) attributes

76
Example of Object Class Definition

(2.5.6.6
NAME person
SUP top
Structural
MUST ( sn cn)
MAY ( userPassword telephoneNumber seeAlso
description ) )

77
Defining a New Object Class SUPInheritance

This is the class you inherit from
Your class automatically gets attributes from the
parent, as well as any additional that you
specify
Multiple levels of inheritance is possible
You can add superclasses starting in eDirectory
8.5

78
Naming

The naming list specifies which attributes which
can be used to name the object
Naming can be specified in LDAP with the
X-NDS_NAMING option
Naming attribute can be multi-valued
Complete control over how to name and access the
object
Defaults (if not supplied)
Inherit from superclass definition if possible
The combination of all string attributes in the
MUST and MAY lists

79
Naming (cont.)

Registered prefixes
Provide uniqueness
Distinguish your extensions
Available from Novell
LDAP mappings
Provide LDAP accessibility to eDirectory schema
Automatic from eDirectory on as long as you use
valid LDAP names
Can be set for non-compatible names

80
Containment

Containment identifies the other object types
which can contain this class
Note that this is not the container flag
If a class is a container, it can be defined to
be able to contain itself
Containment is now modifiable in eDirectory 8.5
You can add containment

81
Containment (cont.)

Containment can be specified in LDAP with the
X-NDS_CONTAINMENT option
The defaults if not supplied are
Inherit from Super Class definition, if possible
C, L, O, OU, and domain

82
Auxiliary Classes

Auxiliary (or aux) classes are a collection of
attributes
Aux classes are applied at the object level
Only the objects that need the attributes have
them
Doesnt change the object class definition

83
Using Auxiliary classes

Two steps
Modify the object class of an existing object to
include the aux class name
Write values to attributes as you would any other
attributes for that class
Easy to remove
Delete the aux class name from the objectClass
attribute
Noteauxiliary classes are available from
eDirectory 8 and beyond

84
X-NDS Class Options

The changes you can make to class definitions
using the X-NDS options are
Flags
X-NDS_NOT_CONTAINER
X-NDS_NONREMOVABLE
Containment
X-NDS_CONTAINMENT
Naming
X-NDS_NAMING
Mapping
X-NDS_NAME
All X-NDS options have default values

85
X-NDS Attribute Options

Most attribute options are flags
X-NDS_PUBLIC_READ
X-NDS_SERVER_READ
X-NDS_NEVER_SYNC
NDS per replica flag
X-NDS_NOT_SCHED_SYNC_IMMEDIATE
X-NDS_SCHED_SYNC_NEVER
X-NDS_NAME_VALUE_ACCESS
NDS write managed flag
One other attribute option
X-NDS_LOWER_BOUND

86
Schema Naming Recommendations

LDAP schema name valid character set
Alpha-numeric and dash
First character must be alpha
Nothing else
Name format
Lowercase prefix, followed by uppercase words
OldMYAPPNew Attribute Name
NewmyappNewAttributeName
Dont use delimiter characters

87
Schema Naming Recommendations

If you follow the naming rules, LDAP mappingfor
the names are not needed
If you havent followed rules in past (or
future), then mappings are needed for access to
schema items via LDAP
What are mappings, anyway?
Object Class objectClass

88
Schema Available Definitions

LDAP ships with a subset of inetOrgPerson mapped
to the eDirectory user class
Schema extensions are available for
Full inetOrgPerson mapped to eDirectory user
Full inetOrgPerson
residentialPerson
newPilotPerson
www.novell.com/products/nds/schema/index.html

89
ASN 1 OIDs and Prefixes

What is an OID?
Novells base OID 2.16.840.1.113719
joint-iso-ccitt(2) country(16) us(840)
organization(1) Novell(113719)
LDAP allows access via the OID
Be sure to have OIDs for your application
How do you use your allocated sub-arc?
2.16.840.1.113719.2.ltagt.4.ltxgt.ltvgt
2.16.840.1.113719.2.ltagt.6.ltxgt.ltvgt
ltagt is your assigned subarc value
ltxgt is the sequence number you assign
ltvgt is the version number you assign
Find out more about OIDs
www.alvestrand.no/harald/objectid/

90
ASN 1 OID Registration Sites

Find out more about OIDs
www.alvestrand.no/harald/objectid/
Sites to obtain OIDs
Novell Developer Support
developer.novell.com/
Will allocate and register a schema prefix for
you, and optionally allocate an OID sub-arc for
you
Internet Assigned Numbers Authority (IANA)
www.isi.edu/cgi-bin/iana/enterprise.pl

91
Sample Schema Output
This LDIF file was generated by Novell's ICE and
the LDIF destination handler. version 1 dn
cnschema changetype add ldapSyntaxes (
1.3.6.1.4.1.1466.115.121.1.1 X-NDS_SYNTAX '9'
) ldapSyntaxes ( 1.3.6.1.4.1.1466.115.121.1.2
X-NDS_SYNTAX '9' ) ldapSyntaxes (
2.16.840.1.113719.1.1.5.1.6 X-NDS_SYNTAX '6'
) objectClass top objectClass
subschema objectClasses ( 2.5.6.0 NAME 'top'
DESC 'Standard ObjectClass' STRUCTURAL MUST
objectClass MAY (cAPublicKey CAPrivateKey
certificateValidityInterval authorityRevocation
lastReferencedTime equivalentToMe ACL
backLink binderyProperty Obituary
Reference revision certificateRevocation
usedBy GUID otherGUID DirXML-Associations
creatorsName modifiersName
unknownBaseClass unknownAuxiliaryClass
auditFileLink masvProposedLabel
masvDefaultRange masvAuthorizedRange )
X-NDS_NAME 'Top' X-NDS_NONREMOVABLE '1'
) objectClasses ( 2.5.6.7 NAME
'organizationalPerson' DESC 'Standard
ObjectClass' SUP person STRUCTURAL MAY
(facsimileTelephoneNumber l eMailAddress ou
physicalDeliveryOfficeName postalAddress
postalCode postOfficeBox st street
title mailboxLocation mailboxID uid mail
employeeNumber destinationIndicator
internationaliSDNNumber preferredDeliveryMetho
d registeredAddress teletexTerminalIdentifier
telexNumber x121Address businessCategory
roomNumber x500UniqueIdentifier ) X-NDS_NAMING
('cn' 'ou' 'uid' ) X-NDS_CONTAINMENT
('organization' 'organizationalUnit 'domain' )
X-NDS_NAME 'Organizational Person'
X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1'
) attributeTypes ( 2.5.18.1 NAME
'createTimeStamp' DESC 'Operational Attribute'
SINGLE-VALUE NO-USER-MODIFICATION SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes (
2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'Standard
Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
64 X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1')
92
Sample LDIF

dn cnschema
changetype modify
add attributetypes
attributetypes ( 2.16.840.1.113719.1.186.4.0
NAME 'aspenCourseName'
DESC 'The name of the course'
SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15
SINGLE-VALUE
)
If not present, this creates testAttr1, then
adds a mapping to the just created or existing
Test Attr 1 attribute

93
LDIF File ExampleinetOrgPerson
Full definition of the standard inetOrgPerson
as a separate class version 1 Delete the
existing class mapping "inetOrgPerson gt User"
class to allow "inetOrgPerson gt
inetOrgPerson". dn cnschema changetype
modify delete objectclasses objectclasses (
2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson'
X-NDS_NAME 'User') Add the inetOrgPerson object
class - 17 dn cnschema changetype modify add
objectclasses objectclasses ( 2.16.840.1.113730.3
.2.2 NAME 'inetOrgPerson' SUP organizationalPerson
MAY ( audio businessCategory carLicense
departmentNumber employeeNumber employeeType
givenName homePhone homePostalAddress
initials jpegPhoto labeledUri mail
manager mobile pager ldapPhoto
preferredLanguage roomNumber secretary uid
userCertificate userSMIMECertificate
x500UniqueIdentifier displayName )
X-NDS_CONTAINMENT ( 'country' 'locality'
'organizationalUnit' 'organization' 'domain' )
X-NDS_NAMING ( 'cn' 'uid' 'givenName' 'mail' 'sn'
) )
94
Schema Changes in eDirectory 8.5

Some attributes made public read, some made
multivalued
New classes defineddomain and ndsLoginProperties
Syntax changed on existing attributes
Several classes changed to be containers
Some changed to be effective or added domain
containment
O and OU added ndsLoginProperties
Device class now effective
Operational attributes
creatorsName
modifiersName
modifyTimeStamp
createTimeStamp

95
Schema Changes in eDirectory 8.6

Unlimited LDAP schema name sizeup to 63K long
(was previously 64 characters)
Ability to have more that 63K total worth of
schema name mappings (depending on size of names,
was limited to less than 2000 mappings)
Ability to save and retrieve the description
field from a schema definition
New schema definitions for dynamic groups and for
persistent search

96
Schema Changes in eDirectory 8.7
97
Informational Draft

LDAP Schema for eDirectory document
http//search.ietf.org/internet-drafts/

98
The Novell Import Convert Export Tool

Features
Client/server (remote) architecture
LDIF import
LDIF export
Data migration between LDAP servers
Efficient
Availability
Included with eDirectory 8.5
ConsoleOne snap-in
Included in Novell Developer Kit (NDK)in C
Libraries for LDAP
Command line only (developer use)

99
Architecture
100
ICE Engine

Orchestrates the interaction between source and
destination handler
Provides logging facility
Provides an error LDIF logging facility
Writes all records that fail to an output file in
LDIF format
Used to help debug import or export sessions
Can aid in dealing with rogue records

101
Currently Available Handlers

Source Handlers
LDIF
Reads in a LDIF data file
LDAP
Performs searches and retrieves LDAP data
Destination Handlers
LDIF
Writes to an LDIF data file
LDAP
Writes to an LDAP server
SupportsLBURP (up to 10 times faster adds),
forward references, hashed passwords, and more

102
What Handlers Are Comingin the Future?