| Developing ColdFusion MX Applications with CFML |
|
|
Managing LDAP Directories |
|
| Developing ColdFusion MX Applications with CFML |
|
|
Managing LDAP Directories |
|
The following sections describe the LDAP information structure: the elements of an LDAP directory and how they are structured. These sections describe the following basic LDAP concepts:
The basic information object of LDAP is the entry. An entry is composed of one or more attributes. Entries are subject to content rules defined by the directory schema (see "Schema").
Each node, not just the terminal nodes, of an LDAP directory is an entry. In the preceding figures, each item is an entry. For example, in the first diagram, both USA and Ferrari are entries. The USA entry's attributes could include a Language attribute, and the Ferrari entry could include an entry for the chief executive officer.
An LDAP directory entry consists of one or more attributes. Attributes have types and values. The type determines the information that the values can contain. The type also specifies how the value is processed. For example, the type determines whether an attribute can have multiple values. The mail attribute type, which contains an e-mail address, is multivalued so you can store multiple e-mail addresses for one person.
Some commonly-used attribute types have short keyword type names. Often these correspond to longer type names, and the two names can be used interchangeably. The following table lists common attribute type keywords used in LDAP directories:
At the time this chapter was written, Netscape provided a list of standard Attribute names on its website, at:
http://developer.netscape.com/docs/manuals/directory/schema2/41/contents.htm
For more information, see "Attribute type".
An entry's distinguished name uniquely identifies it in the directory. A DN is made up of relative distinguished names (RDN)s. An RDN identifies the entry among the children of its parent entry. For example, in the first figure in "About LDAP" , the RDN for the Ferrari entry is "o=Ferrari".
An entry's DN consists of an entry's RDN followed by the DN of its parent. In other words, it consists of the RDNs for the entry and each of the entry's parent entries, up to the root of the directory tree. The RDNs are separated by commas and optional spaces. For example, in the first figure, the DN for the Ferrari entry is "o=Ferrari, c=Italy".
As with file system pathnames and URLs, entering the correct LDAP name format is essential to successful search operations.
Note: The RDN is an attribute of a directory entry. The full DN is not. However, you can output the full DN by specifying "dn" in a query's attributes list. For more information, see CFML Reference. ColdFusion always returns DNs with spaces after the commas.
A multivalued RDN is made up of more than one attribute-value pair. In multivalued RDNs, the attribute-value pairs are separated by plus signs (+). In the sample directories, individuals could have complex RDNs consisting of their common name and their e-mail address; for example, "cn=Robert Boyd + mail=rjboyd@macromedia.com".
The concepts of schemas and object classes are central to a thorough understanding of LDAP. Although detailed descriptions of them are beyond the scope of this chapter, the following sections provide enough information to use the cfldap tag effectively.
A directory schema is a set of rules that determines what can be stored in a directory. It defines, at a minimum, the following two basic directory characteristics:
Object classes enable LDAP to group related information. Frequently, an object class corresponds to a real object or concept, such as a country, person, room, or domain (in fact, these are all standard object type names). Each entry in an LDAP directory must belong to one or more object classes.
The following characteristics define an object class:
If an entry belongs to a class that derives from another class, the entry's objectclass attribute lists the lowest-level class and all the superior classes from which the lowest-level class derives.
When you add, modify, or delete a directory entry, you must treat the entry's object class as a possibly multivalued attribute. For example, when you add a new entry, you specify the object class in the cfldap tag attributes attribute. To retrieve an entry's object class names, specify "objectclass" in the list of query attributes. To retrieve entries that provide a specific type of information, you can use the object class name in the cfldap tag filter attribute.
A schema's attribute type specification defines the following properties:
The attribute type definition can also determine limits on the range or size of values that the type represents, or provide an application-specific usage indicator. For standard attributes, a registered numeric ID specifies the syntax and matching rule information. For more information on attribute syntaxes, see ETF RFC 2252 at
http://www.ietf.org/rfc/rfc2252.txt.
Operational attributes, such as creatorsName or modifyTimeStamp, are managed by the directory service and cannot be changed by user applications.