作者:
出处:每个目录入口都有一组与其object class相伴的属性。IBM TDS将数据表示为名字-值这样的对儿,一个描述性属性,比如commonName(cn),或一个特定的信息,比如John Doe这个名字。这里的属性是与Object Class相同级别的属性,不是Object Class的属性。
IBMAttributeTypes属性用来描述LDAP V3标准上关于属性中没有涉及到的schema信息。它的语法如下: IBMAttributeTypesDescription = "(" whsp numericoid whsp [ "DBNAME" qdescrs ] ; at most 2 names (table, column) [ "ACCESS-CLASS" whsp IBMAccessClass whsp ] [ "LENGTH" wlen whsp ] ; maximum length of attribute [ "EQUALITY" whsp ] ; create index for matching rule [ "ORDERING" whsp ] ; create index for matching rule [ "APPROX" whsp ] ; create index for matching rule [ "SUBSTR" whsp ] ; create index for matching rule [ "REVERSE" whsp ] ; reverse index for substring [ "ENCRYPT" whsp scheme whsp ] ; encryption scheme [ "SECURE-CONNECTION-ONLY" whsp ] ; secure connection required [ "RETURN-VALUE whsp returnValue whsp ]; value to be returned [ "NONMATCHABLE whsp ] ; ; attribute can only be used in existence filters whsp ")" scheme = "SSHA" / "AES-128" / "AES-192" / "AES-256" returnValue = "encrypted" / "type-only" IBMAccessClass = "NORMAL" / ; this is the default "SENSITIVE" / "CRITICAL" / "RESTRICTED" / "SYSTEM" / Numericoid是用来在IBMAttributeTypes进行属性类型和值的关联的。 DBNAME:你最多指定两个名字,第一个名字是使用个这个属性的表的名称,第二个是在这个表中被完全正常化的值所在的列的名字。若只提供一个,则就是表同时也是列的名字。 ACCESS-CLASS:属性要求相似的访问权限都在class中被整合。IBM有五种属性class被用来评估用户权限,normal, sensitive, critical, system, restricted,这个字段被置空代表默认。 LENGTH:属性的最大长度,由bytes计数, EQUALITY, ORDERING, APPROX, SUBSTR, REVERSE:若这些属性被使用了,那么一个index就会被建立。 查看属性: idsldapsearch -b cn=schema -s base objectclass=* attributeTypes IBMAttributeTypes 增加属性: idsldapmodify -D <admindn> -w <adminpw> -i myschema.ldif myschema.ldif文件举例如下: dn: cn=schema changetype: modify add: attributetypes attributetypes: ( myAttribute-oid NAME ( 'myAttribute' ) DESC 'An attribute I defined for my LDAP application' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 {200} USAGE userApplications ) - add: ibmattributetypes ibmattributetypes: ( myAttribute-oid DBNAME ( 'myAttrTable' 'myAttrColumn' ) ACCESS-CLASS normal LENGTH 200 ) 修改属性: idsldapmodify -D <admindn> -w <adminpw> -i myschemachange.ldif myschemachange.ldif文件内容形如: dn: cn=schema changetype: modify replace: attributetypes attributetypes: ( myAttribute-oid NAME ( 'myAttribute' ) DESC 'An attribute I defined for my LDAP application' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 {200} USAGE userApplications ) - replace: ibmattributetypes ibmattributetypes: ( myAttribute-oid DBNAME ( 'myAttrTable' 'myAttrColumn' ) ACCESS-CLASS normal LENGTH 200 EQUALITY SUBSTR ) 复制一个属性: 先要看一下schema中的属性 idsldapsearch -b cn=schema -s base objectclass=* attributeTypes IBMAttributeTypes 选择你要复制的属性进行复制: idsldapmodify -D <admindn> -w <adminpw> -i <filename> <filename>形如: dn: cn=schema changetype: modify add: attributetypes attributetypes: ( <mynewattribute-oid> NAME '<mynewattribute>' DESC '<A new attribute I copied for my LDAP application> EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 {200} USAGE userApplications ) - add: ibmattributetypes ibmattributetypes: ( myAttribute-oid DBNAME ( 'myAttrTable' 'myAttrColumn' ) ACCESS-CLASS normal LENGTH 200 ) 删除一个属性: idsldapmodify -D <admindn> -w <adminpw> -i myschemadelete.ldif myschemadelete.ldif文件形如: dn: cn=schema changetype: modify delete: attributetypes attributetypes: ( myAttribute-oid ) - delete: ibmattributetypes ibmattributetypes: ( myAttribute-oid ) 加密一个属性: ldapmodify –D <admindn> –w <adminpw> dn: cn=schema changetype: modify replace: attributetypes attributetypes:( 0.9.2342.19200300.100.1.1 NAME 'uid' DESC 'Typically a user shortname or userid.' EQUALITY 1.3.6.1.4.1.1466.109.114.2 ORDERING 2.5.13.3 SUBSTR 2.5.13.4 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) - replace: IBMAttributetypes IBMAttributetypes:( 0.9.2342.19200300.100.1.1 DBNAME( 'uid' 'uid' ) ACCESS-CLASS normal LENGTH 256 EQUALITY ORDERING SUBSTR APPROX ENCRYPT AES256 SECURE-CONNECTION-REQUIRED RETURN-VALUE encrypted)) 管理唯一属性 唯一属性确保了一个特定的属性在一个目录中总有唯一一个值。这种属性只能在两个入口中指定:cn=uniqueattributes,cn=localhost 和 cn=uniqueattributes,cn=IBMpolicies. 注意:Binary attributes, operational attributes, configuration attributes,和 the objectclass attribute不能被指定为唯一属性。 创建唯一属性: idsldapmodify -D <admindn> -w <adminpw> -i <filename> 文件中格式形如: dn: cn=uniqueattributes,cn=localhost changetype: add ibm-UniqueAttributeTypes: sn objectclass: top objectclass: ibm-UniqueAttributes 要添加额外的属性: idsldapmodify -D <admindn> -w <adminpw> -i <filename> 文件格式形如: dn: cn=uniqueattributes,cn=localhost cn: uniqueattributes changetype: modify add: ibm-UniqueAttributeTypes ibm-UniqueAttributeTypes: AIXAdminUserId - add: ibm-UniqueAttributeTypes ibm-UniqueAttributeTypes: adminGroupNames 删除一个唯一属性: idsldapmodify -D <admindn> -w <adminpw> -i <filename> dn: cn=uniqueattributes,cn=localhost changetype: modify cn: uniqueattributes ibm-UniqueAttributeTypes: AIXAdminUserId作者:
出处: