|
|
|
To define a view to the DSA, you use the set view command.
The syntax of the command is as follows:
set view viewName = {
description="description" entry = ViewDN [options = [collapse-result | collapse-result-under-entry]
[, remap-originator] [, view-entry-access-controls] ]
(phase=1
subtree = phaseDN
[scope = {subtree | base | one-level}]
[filter = phaseFilter]
[eis = [prefix.]attributeName[.suffix] [,[prefix.]attributeName[.suffix]]...]
[allow-attr = allowAttribute pllow-target = allowTarget]
[prune-attr = pruneAttribute prune-target = pruneTarget]
[options = [ignore-from-result] [result-required] [prune-from-result]]
)
[if (condition) |
else if (condition) | else ]
[,(phase=2
subtree = phase_DN
[scope = {subtree | base | one-level}]
[filter = phaseFilter]
[eis = [prefix.]attributeName[.suffix] [,[prefix.]attributeName[.suffix]]...]
[allow-attr = allowAttributeList allow-target = allowTarget]
[prune-attr = pruneAttributeList prune-target = pruneTargetList]
[merge-dn-attr]
[options = [ignore-from-result] [,result-required] [,prune-from-result] [,collapse-target]]
)]
}
Defines the name that the DSA command interpreter uses to identify the view. If the name contains spaces or non-alphanumeric characters, then it must be enclosed in quotes.
Describes the view. The description is any text string enclosed in quotes.
Defines the base object of the view in LDAP format. This DN is the target of searches that invoke this view.
(Optional) Specifies that the view will merge all the results into one entry, which is the base-object of the search request invoking the view.
(Optional) Specifies that the view will merge all the results into one entry, which is the entry DN returned by the phase one search. If the phase one search returns multiple entries then the view will be applied to each entry independently and multiple collapsed entries will be returned.
(Optional) Specifies that the originator, and hence access controls, are applied to the bind DN which is a virtual entry when binding to a view using a DN returned by a previous search with the ‘collapse-result-under-entry’. The remap-originator option re-maps the originator to the underlying phase 1 entry allowing existing ACIs to be used.
(Optional) Specifies that temporary access to some sections of the view that are not visible to the user invoking the view are allowed. Use this in conjunction with ‘trust-dsa-triggered-operations’. This works by ignoring access controls while the view searches are invoked and post-applying the access controls before the result is returned.
Specifies conditional views that must be met before the phase is performed. The conditional “if” and “else if” accept a view parameter a = (equals) or != (not equals) and a regular expression. The value substituted for the view parameter is compared to the regular expression.
Each phase/s can be conditional triggered based on information from previous phases. A condition consists of a views attribute an = or != and a regular expression. for example, "$2:userPassword=." will trigger the following brace enclosed phase/s if the phase 2 search result contains the userPassword attribute.
Specifies the phase number.
A phase is a directory search within a view. A phase can use the results of previous phases in the same invocation of the view.
Each phase must be given a number, starting at one and incrementing by one for each subsequent phase.
Each phase includes the following parameters:
Defines the subtree of the search performed for this phase, in LDAP format. The subtree RDN elements can reference previous search phases. This can be omitted for attribute-level pruning/allowing.
For example:
(Optional) Defines the attributes that will be returned. Attribute names are separated by commas.
If eis is specified, then the phase returns only the specified attributes, plus any attributes referenced as parameters in later phases.
If eis is not specified, then all information items are returned.
If the search request that invoked the view specified an attribute name to be returned, then the attributes specified by eis are ignored.
Note: The eis does not need to include the linking attribute (the attribute required by a subsequent phase).
Specifies an attribute to be returned. This follows the syntax for views parameters. <link>
Maps the result to this attribute. This is useful if the underlying data has naming conflicts.
Note: The syntax for both the attribute being returned and the mapped attribute must be identical.
Adds text to the start of the result. For more information, see Add a Prefix or Suffix to a Value in the Administrator Guide.
Adds text to the end of the result. For more information, see Add a Prefix or Suffix to a Value in the Administrator Guide.
(Optional) Defines the scope of the search for the specified phase. The scope is one of the following:
Searches the entire subtree.
Searches the base object only.
Searches one level only.
(Optional for base and one-level searches) Defines the LDAP filter that the phase uses for its search. Any item in the filter can include views parameters.
If the scope of the search that invokes the view is base-object, then filter is ignored.
This LDAP search filter contains substitution items OR 'from-client'. When from-client the filter will directly reference the filter passed in be the client.
(Optional) Specifies the attributes that will be included in a phase result. This list of attributes follows the syntax for views parameters.
Specifies the attribute name whose value is appended to the list of attribute values in allow-target
(Optional) Specifies the views parameter to take the value in allow-attr. If allow-target does not exist it is created when the first allow-attr is returned.
allowTarget follows the syntax for views parameters.
allow-target is used only with the allow-attr option.
(Optional) Specifies the attributes that will be removed from a phase result.
pruneAttributeList follows the syntax for views parameters.
prune-attr is used only with the prune-target option.
(Optional) Specifies the views parameter whose value is compared to the value of the attribute in prune-attr. If the two values match, then the attribute entry is removed from the result. Otherwise, the attribute entry is included in the result.
pruneTargetList follows the syntax for views parameters.
prune-target is used only with the prune-attr option.
(Optional) Specifies the attribute of DN syntax that each DN of the current phase result will be returned under. For example, it is often useful to return the groups a user is a member of with the user’s entry. If this is set to memberOf, the phase subtree is where the groups are stored and the filter = “member = $1:dn”.
(Optional) Specifies a comma-separated list of processing that the phase should perform before it returns the results to the view. Possible options are as follows:
Specifies that the phase should return only those attributes whose values are referenced as parameters in later phases. If this is set, the phase search results are temporary. The results from this phase will not be returned to the client.
Specifies that the phase should return only the DN and not return any attributes at all.
Specifies that the DSA should check if an attribute is referenced as a parameter in later phases does exist. If not, then the DSA aborts the search and raises an alarm.
(requires view option collapse-result-under-view-entry)
Instead of collapsing the view results under the entry specified by phase 1, this option allows for the view to be collapsed under a later phase. An error will occur if the later phase search returns multiple entries.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |