Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Adapter Instance Options : Supported LDAP Operations and Message Structure
Supported LDAP Operations and Message Structure
TIBCO ActiveMatrix Adapter for LDAP supports the following:
INSERT Operation
DELETE Operation
UPDATE Operation
MODIFY DN Operation
UPSERT Operation
LOOKUP Operation
SEARCH Operation
AUTHENTICATE Operation
These operations are done in the context of the wire schema and the native schema.
Native schema contains the attribute names (field names) of any object class that is configured for the service. Each attribute is a multi-value sequence of strings.
For example, if the object class is inetOrgPerson the native schema is:
inetOrgPerson
{
     sn
     cn
     telephoneNumber
       {
       
       
       }
     .
     .
     .
}
Wire schema contains the native schema as well as the Opcode, DN, NewDN, Objectclass, SearchCondition, and Attributes.
For example:
inetOrgPerson
{
     Opcode
     DN
     NewDN
     ObjectClass
     Searchcondition
     Attributes
     {
          sn
          cn
          telephoneNumber
          .
          .
          .
     }
}
Details about an LDAP operation is specified using a wire schema.
* 
For each operation:
The specified entry must be within the subtree for the adapter service that you specify during configuration.
The object class must match the object class of the adapter service.
If either of these two conditions is not met, the operation will fail.
You can specify the Opcode acronym for the operation to work. For example, if you specify AT for the INSERT operation, the adapter will use only the first character of the acronym. The same concept is applicable to all Opcodes. For Opcodes that have a two-letter acronym, the adapter will use the first two characters and ignore all subsequent characters. However, if the first letter of an acronym is not valid, the adapter will display an error.
INSERT Operation
The INSERT operation uses the LDAP_ADD or A operation codes and will add an entry to the LDAP server.
For an INSERT operation using the LDAP_ADD operation code, the inbound message will be in the following format:
 
inetorgperson
{
     Opcode = "LDAP_ADD"
     DN = "uid=xyz,ou=People,o=abc.com"
     inetOrgPerson
        {
          sn = "abc"
          cn = "def"
          telephoneNumber = "123233"
          objectClass="inetOrgPerson"
        }
}
The details specified in the native schema will be added for the entry specified in the DN field.
DELETE Operation
The DELETE operation uses the LDAP_DELETE or D operation codes, and will delete an entry from the LDAP server.
For a DELETE operation using the LDAP_DELETE Opcode, the inbound message will be in the following format:
inetorgperson
{
     Opcode = "LDAP_DELETE"
     DN = "uid=xyz,ou=People,o=abc.com"
}
* 
 
For a DELETE operation, the native schema is not required.
UPDATE Operation
The UPDATE operation uses the LDAP_MODIFY or M operation codes, and will modify the entry on the LDAP server by overwriting the existing attribute values in the entry.
The UPDATE operation can be specified as:
Opcode = LDAP_MODIFY
Opcode = LDAP_MOD_REPLACE or MR
Opcode = LDAP_MOD_ADD or MA
Opcode = LDAP_MOD_DELETE or MD
LDAP_MOD_REPLACE or MR will overwrite the existing attribute values with the new attribute values specified.
LDAP_MOD_ADD or MA will add the new attribute values to the old entry only if the original entry does not contain the attribute values being added.
LDAP_MOD_DELETE or MD will delete the specified attribute values from an entry.
For the UPDATE operation using the LDAP_MODIFY Opcode, the inbound message will be in the following format:
inetorgperson
{
     Opcode = "LDAP_MODIFY"
     DN = "uid=xyz,ou=People,o=abc.com"
     inetOrgPerson
        {
          sn = "abc1"
          cn = "def1"
          telephoneNumber = "1232331"
        }
}
MODIFY DN Operation
The MODIFY DN operation replaces the RDN (Relative Distinguished Name) of an entry specified in the DN field with the RDN specified in the NewDN field. This operation uses the LDAP_MODIFYKEY or MK operation codes.
For example, for the MODIFY DN operation using the LDAP_MODIFYKEY Opcode, the inbound message appears in the following format:
inetorgperson
{
     Opcode = "LDAP_MODIFYKEY"
     DN = "uid=xyz,ou=People,o=abc.com"
     NewDN="uid=ijk"
}
UPSERT Operation
The UPSERT operation is an INSERT or an UPDATE operation. If the entry does not exist, it will be added. If the entry exists, it will be modified. This operation uses the LDAP_UPSERT or U operation codes.
For the UPSERT operation using the LDAP_UPSERT Opcode, the inbound message will be in the following format:
inetorgperson
{
     Opcode = "LDAP_UPSERT"
     DN = "uid=xyz,ou=People,o=abc.com"
     inetOrgPerson
        {
          sn = "abc"
          cn = "def"
          telephoneNumber = "123233"
          objectClass="inetOrgPerson"
        }
}
LOOKUP Operation
This operation is available with the request-response service. The LOOKUP operation uses the LDAP_LOOKUP or L operation codes.
For the LOOKUP operation using the LDAP_LOOKUP operation code, the inbound message will be in the following format:
inetorgperson
{
     Opcode = "LDAP_LOOKUP"
     DN = "uid=xyz,ou=People,o=abc.com"
}
* 
For the LOOKUP operation, native schema is not required as you are merely checking if the entry exists or not.
SEARCH Operation
This operation is available with the request-response service. The SEARCH operation can be specified as:
Opcode = LDAP_SEARCH or SS
Opcode = LDAP_SEARCH_BASE or SB
Opcode = LDAP_SEARCH_ONELEVEL or SO
Opcode = LDAP_SEARCH_SUBTREE
LDAP_SEARCH_BASE helps you to search for an entry using a search condition, LDAP_SEARCH_ONELEVEL helps you to search one level below the base using a search condition, not including the base, and LDAP_SEARCH_SUBTREE lets you search the entire subtree.
* 
 
LDAP_SEARCH and LDAP_SEARCH_SUBTREE are the same.
For details on search filters and their syntax, see the following RFC at http://www.ietf.org/rfc/rfc1558.txt
For the SEARCH operation, the inbound message will be in the following format:
inetorgperson
{
     Opcode = "LDAP_SEARCH"
     DN = "ou=People,o=abc.com"
     SearchCondition = "mail=someone@somewhere.com"
}
OR
inetorgperson
{
     Opcode = "LDAP_SEARCH"
     DN = "ou=People,o=abc.com"
     SearchCondition = "mail=someone@somewhere.com"
     Attributes =
        {
          telephoneNumber
          MobileNumber
        }
}
In the first search condition, all entries that match the search criteria are returned with all the details of each entry, including the DN.
In the second search condition, only the details specified as the Attributes (telephoneNumber and MobileNumber) are returned along with the DN.
The outbound message will be in the following format:
inetorgperson
{
     
       {
         DN = "uid=abc,ou=People,o=abc.com"
         inetorgperson
          {
 
          }
       }
 
     inetorgperson
       {
         DN = "uid=xyz,ou=People,o=abc.com"
         inetorgperson
          {
 
          }
       }
 
     .
     .
     .
}
When you perform a search, a number of entries may be retrieved. Therefore, the outbound message will be a sequence of wireschema that has details about each entry specified in the native schema. Each entry is identified by its DN, mentioned in the wireschema.
However, you can also set an attribute filter. The adapter search operation can fetch attributes that are a subset of the attributes of the configured object class and this can be specified in the Attributes attribute of the request-response Server service schema.
 
* 
 
The filter should be specified as a sequence.
AUTHENTICATE Operation
This operation is available only for the request-response service. The AUTHENTICATE operation uses the LDAP_VALIDATE_USR or V operation codes.
For the AUTHENTICATE operation using the LDAP_VALIDATE_USR operation code, the inbound message will be in the following format:
inetorgperson
{
   Opcode = "LDAP_VALIDATE_USR"
   DN = "uid=xyz,ou=People,o=abc.com"
   Password = "secret"
}
 
* 
For the AUTHENTICATE operation, there is no native schema as you are merely checking if the entry can be authenticated or not.
Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved