|
|
|
You define a view to the DSA process by using the set view command.
You might find it useful to create a file settings/views.dxc to contain your view definitions. This file should include a clear view command before the set view commands. See set view Command.
A view command has a header and a body. The header identifies the view and contains the view name, DN, and post-processing options. The view body consists of a list of searches, called phases. Each phase has a DN and a filter (and some ancillary information).
You invoke a view by providing the view's DN as the base object in an LDAP request to the DSA. Search requests are restricted in scope to the base object and filtered subtree searches. Bind, compare, and modify requests are restricted to using only attributes contained in the entry defined in phase 1.
Example: Cell Phone Service Provider
Consider a cell phone provider. To find the phone's SIM card number in the provider's directory structure, you first find the customer's cell phone number and then use that to find the SIM card number. The following table shows how to do the complete task using a view.
|
Define View Command |
Annotation |
|---|---|
set view "SIM View" = {
description = "Display Sim Number given a name"
|
This line defines a view and gives it a name. The name and description are displayed from the get view command. |
entry = <o ACME><ou Views><cn "SIM"> |
This line defines the base object DN for this view. The user specifies this to invoke the view, so to invoke this view with the ldapsearch command, the command line must include the following option: -b "cn=SIM,ou=Views,o=ACME" In this organization (ACME), the administrator has included an organizational unit called Views solely to ensure that all the view DNs are unique. |
(phase = 1 subtree = "ou=Customers,o=ACME" filter = "(cn=$cn)" ), |
This is the first phase of the view, so it must be labeled 1. When the view is invoked, the phase searches the subtree starting at the following DN: "ou=Customers,o=ACME" The use of the term $cn in the phase means that users must specify the value of cn when they invoke the view. For example, the search could include the filter: (cn="John Smith") The DSA uses this value to replace $cn term. Therefore, phase 1 performs a search with the following filter: (cn="John Smith") Because the phase does not include any other options, the phase returns all the information in the subtree. |
(phase = 2 subtree = "ou=cellphones,ou=Accounts,o=ACME" filter = "(account=$1:cellphone)" eis = simCardNumber options = result-required ) }; |
This is the second phase of the view, so it must be labeled 2. This phase searches the following subtree: "ou=cellphones,ou=Accounts,o=ACME" The DSA replaces $1:cellphone with the value of the cellphone attribute returned by phase 1, for example, 01001001001 The eis option means that the only attribute value that the phase returns is simCardnumber. If the customer has two phones, then the filter is an OR of the phone numbers returned, as in the following example: (|(account=01001001001)(account=01001001002) Two simCardNumber values are returned in this case. Because this phase specifies result-required, the DSA checks that the link between the attributes in each subtree is valid. If the link is not valid, then it raises an alarm. |
Given the view defined in the preceding table, you could use the following search to find a customer's SIM card numbers:
ldapsearch -h hostname:3000 -s subtree -b "cn=SIM,ou=Views,o=ACME" "(cn=John Smith)" simCardNumber
| Copyright © 2009 CA. All rights reserved. | Email CA about this topic |