Features of Adapter for LDAP

Copyright © TIBCO Software Inc. All Rights Reserved

Chapter 3 TIBCO ActiveMatrix Adapter for LDAP : Features of Adapter for LDAP

Features of Adapter for LDAP

The following adapter features are described in detail in this manual.

Services of Adapter for LDAP

The following adapter services are supported:

•

Publication Service — Publishes the changes occurring on the LDAP server to JMS or TIBCO Rendezvous, for other applications to use.

•

Subscription Service — Subscribes to messages from other applications on JMS or TIBCO Rendezvous, and applies the requests contained in them to the LDAP server.

•

Request-Response Service — Receives requests for LDAP information from applications through JMS or TIBCO Rendezvous. It performs the required operations on the LDAP server and sends the results in its reply.

An Easy-to-use GUI

The adapter provides its own design-time component, namely the adapter palette, which seamlessly integrates with TIBCO Designer. This easy-to-use interface allows you to quickly configure adapter-specific features. You can use it to enter, delete, and modify configuration information. You can easily specify operational parameters and change them as needed.

Support for Dual TIBCO Messaging Transports

The adapter supports the following TIBCO messaging transports:

•

TIBCO Rendezvous transport — This transport uses subject-based addressing to provide support for both multicast or broadcast, and point-to-point communications. You can configure the delivery modes of the messages and specify the wire format to be used when you configure the adapter service.

•

JMS transport — TIBCO Enterprise Message Service must be installed to use the JMS transport. The JMS administration interfaces allow you to create and manage administered objects such as Connection Factories, Topics, and Queues. JMS clients can retrieve references to these objects by using Java Naming and Directory Interface (JNDI). Creating static administered objects allows clients to use these objects without having to implement the object within the client. When a JMS client starts, it performs a JNDI lookup for the connection factories that it needs. For details on JNDI, see the TIBCO Enterprise Message Service User’s Guide. You can specify the connection factory type and the delivery mode to be used when you configure the adapter service.

Support for Distributed Queues

A distributed queue is a group of cooperating transport objects, each in a separate process. Each transport object is called a member. To balance the transmission load among servers, the adapter can use distributed queues for one-of-n delivery of messages to a group of servers. Each member of a distributed queue must listen for the same subject using TIBCO Rendezvous Distributed Queue listener objects. Even though many members listen for each inbound message (or task), only one member processes the message. For details on distributed queues, see TIBCO Rendezvous Concepts.

In the queue mode within TIBCO Enterprise Message Service, each listener is a single receiver of a point-to-point message. However, the listeners can be configured as a set of receivers, each of which receives a fraction of the messages. For details on TIBCO Enterprise Message Service distributed queues, see the TIBCO Enterprise Message Service User’s Guide.

Load balancing for the processing of TIBCO Rendezvous or JMS certified messages is supported using distributed queuing. The messages from TIBCO Rendezvous or TIBCO Enterprise Message Service are distributed equally among all instances that belong to the same group. This distributes the data load over several adapter instances. However, the order in which the data is sent to the application server is not guaranteed.

Support for Multithreading

The adapter maintains a pool of threads allowing it to respond to and process multiple events simultaneously, thereby improving its performance. One thread pool is maintained for an adapter configuration, allowing publication, subscription, and request-response services to use the same thread pool.

Support for Internationalization

The adapter provides support for many encodings. The default encoding used by the adapter is ASCII.

Schema Support

With the ActiveEnterprise wire format, you can configure a schema to describe the structure of messages processed by the adapter. This feature is especially useful in the following situations:

•

Every adapter service supports one (and only one) schema. The service restricts its operation (publish, subscribe, or request-response) to the chosen schema as well as to a user-specified part of the DIT (Directory Information Tree).

•

If the schema information has changed on the LDAP server, you can reconfigure the adapter instance to reflect the changes.

DIT Browsing

You can restrict the scope of a service to a specific part of the DIT.

•

When you begin configuring a service, only the top-level entries in the tree are visible. Entries below these are fetched dynamically when you explicitly expand the subtrees.

•

You can specify the number of entries. The maximum number of entries you can specify is 50000. The tree expands if the number of entries is equal to, or less than the value you specify.

•

You can only select a single entry at any time since a service can be associated only with one subtree.

•

Each service lets you select a subtree of the LDAP DIT. The adapter supports selection by example. For example, if you need to select object class X, you can choose any entry belonging to object class X. Therefore, when you select a particular LDAP entry type under a DIT, all the entries of that type, irrespective of their position in the tree, will be supported by the service.

•

If the tree selection is not required, all you need to do is select the root of the tree for each service.

•

The adapter service will log an error and return an error message if the incoming message tries to access other LDAP entry types or other portions of the DIT tree.

Support for Basic Authentication

The adapter supports basic authentication, the most simple security mechanism in LDAP. When using basic authentication with LDAP, the client identifies itself to the server by means of a DN (Distinguished Name) and a password which are sent in the clear over the network. The server considers the client authenticated if the DN and password sent by the client matches the password for that DN stored in the directory.

Support for SSL

All data exchange between the adapter and LDAP server can now be secured via a Secure Sockets Layer (SSL) connection.

Attribute Filtering

The adapter provides support for retrieving the attributes of an entry by specifying the names of the attributes. This functionality is available only for the Search operation in the request-response service.

Refined Search Capabilities

The adapter provides refined search capabilities in the request-response service through the use of LDAP_SEARCH_BASE, LDAP_SEARCH_ONELEVEL and LDAP_SEARCH_SUBTREE search options. LDAP_SEARCH_BASE helps you to search for a particular entry, LDAP_SEARCH_ONELEVEL helps you to search one level below the base, not including the base, and LDAP_SEARCH_SUBTREE lets you search the entire subtree.

Support for Retrieval of the DN of Searched Entries

The adapter can retrieve the Distinguished Name (DN) of an entry retrieved through search, in addition to the attributes of the entry. This functionality is available for the Search operation in the request-response service.

Alias Dereferencing

In an LDAP directory, an alias entry is an entry that points to another entry. Following an alias pointer is known as dereferencing an alias. In the LDAP directory, you can set a leaf entry to point to another object in the namespace. This alias entry contains the DN of the object to which it is pointing. When you look up an object by using the alias, the alias is dereferenced so that what is returned is the object pointed to by the alias's DN.

You can use aliases to organize the directory's namespace so that as the namespace evolves, old names may be used. Suppose, for example, that in the o=Wiz, c=us company, the departments ou=hardware and ou=software are merged into ou=engineering. You can move the contents of ou=hardware and ou=software to ou=engineering, and change the entries ou=hardware and ou=software into alias entries that point to ou=engineering.

The adapter only supports alias dereferencing for the SEARCH operation.

Microsoft Active Directory server does not support alias operations.

Publication Service Filter

While configuring the LDAP Adapter instance, you can specify an additional filter for the publication service.

Support for SEARCH Operation on Sub Class

The adapter can perform the SEARCH operation on a sub class. Checking the Handle Any Subset Of Configured Object classes checkbox in the Schema View tab enables the adapter to perform a service-specific operation on any subset of the configured object class. For example, the adapter can retrieve the entries belonging to sub class c when a service is configured for an object class a.b.c.d.

Therefore, if you configure a publication service for the object class inetorgperson and a publication filter telephoneNumber>1000, then all entries that satisfy both these criteria will be published by the adapter.

The filter should comply with the LDAP Search Filter Syntax described in the LDAP specification.

Persistent Publisher

The adapter supports publication of the changes on an LDAP server even if the adapter is not running when those changes are made on the server.

This functionality is available for Microsoft Active Directory, Microsoft Active Directory Application Mode, and Oracle Internet Directory.

Server Synchronization

The adapter supports synchronization of changes between two supported LDAP servers. This requires the Update Only If Different checkbox to be checked from the subscriber service.

Referrals

The adapter supports referrals. A server that does not store the requested data can refer the adapter to another server. Since a server might not store the entire DIT, servers need to be linked together in some way to form a distributed directory that contains the entire DIT. This is accomplished with referrals. The referral acts like a pointer that can be followed to where the desired information is stored.

Enhanced Logging Capability

If the adapter receives a message that causes an LDAP invocation error, then the adapter traces the complete message on the console and also logs it to a file so that you can manually recover and process these messages.

LDAP Schema Browser for Specifying Object Classes

The adapter provides an LDAP schema browser that allows you to browse and select from all the LDAP object classes available in the server’s LDAP schema. When using the LDAP schema browser to specify the object class, no sample entry is needed.