| | 1 | = How to Modify the EDIR Schema = |
| | 2 | Original Author - Beth Mercer 20081028 |
| | 3 | 20081028 sxelm How to Modify the EDIR Schema |
| | 4 | ========================================================================================== |
| | 5 | |
| | 6 | EDIR is comprised of an iPlanet Directory, Oracle Registry and web gateway. EDIR schema |
| | 7 | changes require that each of those components be modified in some manner. |
| | 8 | |
| | 9 | NOTE: Schema definitions are unique to a directory instance; they are not replicated between |
| | 10 | directory instances. Changes to attribute values under dc=alaska,dc=edu records, however, |
| | 11 | **are** replicated and the absence of an attribute definition in a target directory can |
| | 12 | cause problems. Therefore, always complete schema changes in all directory instances |
| | 13 | **before** making ACI, gateway and registry changes that allow the update of new attributes. |
| | 14 | |
| | 15 | +++++++++++++++++ |
| | 16 | iPlanet Directory |
| | 17 | +++++++++++++++++ |
| | 18 | |
| | 19 | An iPlanet directory instance is where the EDIR Web Gateway gets the information it |
| | 20 | displays and where (in addition to the registry) data changes are stored. The directory |
| | 21 | schema governs what attributes may be stored in EDIR. Directory ACIs govern who has |
| | 22 | access to what information. |
| | 23 | |
| | 24 | iPlanet schema (attribute and object) information is stored in text files that are read |
| | 25 | during instance startup. The file names are prefixed by a number; those prefixes other than |
| | 26 | 98 represent schema files provided by Sun, while 98-series files represent UA-specific schema |
| | 27 | information. While schema changes can be made via the iPlanet Console, **do not do so** for |
| | 28 | the EDIR project. Schema changes made via the console are written to iPlanet's configuration |
| | 29 | files where they are mixed up with other, non-EDIR, schema information. All EDIR related |
| | 30 | schema changes have been carefully placed in a separate configuration file. Edit that file to |
| | 31 | modify the EDIR schema. |
| | 32 | |
| | 33 | To modify the iPlanet EDIR schema: |
| | 34 | |
| | 35 | # ssh to iplanet account on edgar or elias |
| | 36 | # move to schema directory for particular directory instance |
| | 37 | cd /e01/iplanet/servers/slap-[edgar|elias][Test|Prep]/config/schema/ |
| | 38 | |
| | 39 | # list existing EDIR schema versions |
| | 40 | # making sure the current copy of 98uaSchemaAdditions.ldif has a datestamped backup |
| | 41 | ls -lrt 98uaSchemaAdditions* |
| | 42 | |
| | 43 | # copy 98uaSchemaAdditions.ldif to a new backup with today's date |
| | 44 | cp -p 98uaSchemaAdditions.ldif 98uaSchemaAdditions.ldif.$(date +'%Y%m%d') |
| | 45 | |
| | 46 | # edit the backup copy |
| | 47 | vi 98uaSchemaAdditions.ldif.$(date +'%Y%m%d') |
| | 48 | |
| | 49 | # diff the current and new schemas |
| | 50 | sdiff -s 98uaSchemaAdditions.ldif.$(date +'%Y%m%d') 98uaSchemaAdditions.ldif |
| | 51 | |
| | 52 | # if diff shows what is expected, overwrite current version with new version |
| | 53 | cp -p 98uaSchemaAdditions.ldif.$(date +'%Y%m%d') 98uaSchemaAdditions.ldif |
| | 54 | |
| | 55 | # bounce the directory instance |
| | 56 | pbrun [Prep|Test]stop-slapd |
| | 57 | pbrun [Prep|Test]start-slapd |
| | 58 | |
| | 59 | If after making schema changes, the directory instance should fail to start, restore the |
| | 60 | backup copy of 98uaSchemaAdditions.ldif and start directory. |
| | 61 | |
| | 62 | To modify the iPlanet EDIR ACIs: |
| | 63 | |
| | 64 | # ssh to iplanet account on edgar or elias |
| | 65 | # move to the directory containing ACI source |
| | 66 | cd local/ldap/schema |
| | 67 | |
| | 68 | # list existing EDIR ACI versions |
| | 69 | # making sure the current ACI file has a datestamped backup |
| | 70 | ls -lrt aci* |
| | 71 | |
| | 72 | # set up variables used in remaining syntax examples |
| | 73 | HOST=$(hostname) |
| | 74 | INST=Test # (null), Test or Prep |
| | 75 | PORT=13238 # 389, 13238 or 15462 |
| | 76 | FILENAME=aci.with_user_update.$(date +'%Y%m%d') # glean from other ACI file names |
| | 77 | echo ${HOST} ${INST} ${PORT} ${FILENAME} |
| | 78 | |
| | 79 | # make a date stamped copy of the most recent applicable ACI file |
| | 80 | # e.g. cp -p <applicable_file> ${FILENAME} |
| | 81 | |
| | 82 | # edit new copy of ACI file |
| | 83 | vi ${FILENAME} |
| | 84 | |
| | 85 | # count number of add: and delete: statements in file |
| | 86 | # that count should be matched when you next apply the ACIs |
| | 87 | egrep 'add:|delete:' ${FILENAME}|wc -l |
| | 88 | |
| | 89 | # apply ACIs to applicable directory instance |
| | 90 | (ldapmodify -p ${PORT} -h ${HOST}.alaska.edu -D "cn=Directory Manager" \ |
| | 91 | -j $HOME/.DirectoryManager${INST}.pass -c -v -f ${FILENAME}) | grep 'modify complete'|wc -l |
| | 92 | |
| | 93 | If your ACI changes include a NEW delete statement, the count of of "modify complete" |
| | 94 | statements will not match the count of add: and delete: statements (can't delete what didn't |
| | 95 | exist). Apply the ACI file a second time and check the counts. |
| | 96 | |
| | 97 | If the count of "modify complete" statements still does not match the count of add: and delete: |
| | 98 | statements, then reapply the prior version of the ACI file. |
| | 99 | |
| | 100 | |
| | 101 | |
| | 102 | +++++++++++++++ |
| | 103 | Oracle Registry |
| | 104 | +++++++++++++++ |
| | 105 | |
| | 106 | EDIR gateway updates are processed in the Oracle Registry before they are processed in |
| | 107 | the iPlanet Directory. The registry table LDAP_CLASS_ATTRIBS governs what attributes |
| | 108 | can be processed. The registry EDIR procedure enforces edit rules and performs the |
| | 109 | registry update. |
| | 110 | |
| | 111 | To modify the registry LDAP_CLASS_ATTRIBS table: |
| | 112 | |
| | 113 | # ssh to sxldap account on registry host, toklat or summit as appropriate. |
| | 114 | # connect to EDIR instance |
| | 115 | . ua_oracle rptt|q|s env |
| | 116 | sqlplus / |
| | 117 | |
| | 118 | # list current attributes |
| | 119 | set pages 2000 lines 132 |
| | 120 | column class format a30 |
| | 121 | column attributes format a30 |
| | 122 | column source format a30 |
| | 123 | select * from LDAP_CLASS_ATTRIBS order by attribute; |
| | 124 | |
| | 125 | # review list and determine appropriate change |
| | 126 | |
| | 127 | # delete an attribute |
| | 128 | delete LDAP_CLASS_ATTRIBS where attribute = '&case_sensitive_attrib_name'; |
| | 129 | |
| | 130 | # add an attribute (see NOTES) |
| | 131 | insert into LDAP_CLASS_ATTRIBS values ( |
| | 132 | '&case_sensitive_class_name', |
| | 133 | '&case_sensitive_attrib_name', |
| | 134 | '&privileged_flag_Y_N', |
| | 135 | '&selfserve_flag_Y_N', |
| | 136 | '&static_flag_Y_N', |
| | 137 | '&case_sensitive_source_name', |
| | 138 | '&isunique_flag_Y_N' |
| | 139 | ); |
| | 140 | |
| | 141 | # modify an attribute |
| | 142 | # either delete then add, |
| | 143 | # or write appropriate SQL update statement |
| | 144 | |
| | 145 | To modify the registry EDIR procedure, if special handling of the new attribute by EDIR |
| | 146 | is necessary: |
| | 147 | {{{ |
| | 148 | # ssh to sxldap account on summit |
| | 149 | # change to registry source code directory |
| | 150 | cd local/ldap/registry |
| | 151 | |
| | 152 | # list source files for EDIR procedure making sure the current copy |
| | 153 | # of create_package_edir.sql has a datestamped backup |
| | 154 | ls -lrt create_package_edir.sql* |
| | 155 | |
| | 156 | # copy create_package_edir.sql to a new backup with today's date |
| | 157 | cp -p create_package_edir.sql create_package_edir.sql.$(date +'%Y%m%d') |
| | 158 | |
| | 159 | # edit the backup copy |
| | 160 | vi create_package_edir.sql.$(date +'%Y%m%d') |
| | 161 | |
| | 162 | # diff the current and new versions |
| | 163 | sdiff -s create_package_edir.sql.$(date +'%Y%m%d') create_package_edir.sql |
| | 164 | |
| | 165 | # if diff shows what is expected, overwrite current version with new version |
| | 166 | cp -p create_package_edir.sql.$(date +'%Y%m%d') create_package_edir.sql |
| | 167 | |
| | 168 | # connect to EDIR instance and compile procedure - RPTQ before RPTS |
| | 169 | rpt[t|q|s] |
| | 170 | sqlplus / |
| | 171 | @create_package_edir.sql |
| | 172 | }}} |
| | 173 | |
| | 174 | If the EDIR procedure should fail to compile, restore the backup copy of create_package_edir.sql |
| | 175 | and execute that version of the source script. |
| | 176 | |
| | 177 | |
| | 178 | +++++++++++ |
| | 179 | Web Gateway |
| | 180 | +++++++++++ |
| | 181 | |
| | 182 | The EDIR Web Gateway utilizes attribute information stored in the CGI script ldap_lib.pm to |
| | 183 | control what attributes are displayed to what types of individuals. If a new attribute is |
| | 184 | not added to ldap_lib.pm, the attribute won't be displayed by the gateway. |
| | 185 | |
| | 186 | To modify the gateway ldap_lib.pm CGI script: |
| | 187 | {{{ |
| | 188 | # ssh to ldapgw account on an e-box host |
| | 189 | # move to EDIRTEST gateway directory |
| | 190 | cd EDIRTEST/cgi-bin |
| | 191 | |
| | 192 | # list existing ldap_lib.pm versions |
| | 193 | # making sure the current copy has a datestamped backup |
| | 194 | ls -lrt ldap_lib.pm |
| | 195 | |
| | 196 | # copy ldap_lib.pm to a new backup with today's date |
| | 197 | cp -p ldap_lib.pm ldap_lib.pm.$(date +'%Y%m%d') |
| | 198 | |
| | 199 | # edit the backup copy |
| | 200 | vi ldap_lib.pm.$(date +'%Y%m%d') |
| | 201 | |
| | 202 | # find getAttributes() function |
| | 203 | # add/delete/modify in ATTRIBUTES hash |
| | 204 | # N.B. a placeholder entry for an attribute which is not expected to be visible or |
| | 205 | # updated might look like this: |
| | 206 | # 'attribute name' => [99,'n','S','N','N','Displayable Attribute Name','','','',''], |
| | 207 | |
| | 208 | # diff the current and new schemas |
| | 209 | sdiff -s ldap_lib.pm.$(date +'%Y%m%d') ldap_lib.pm |
| | 210 | |
| | 211 | # if diff shows what is expected, overwrite current version with new version |
| | 212 | cp -p ldap_lib.pm.$(date +'%Y%m%d') ldap_lib.pm |
| | 213 | }}} |
| | 214 | If the Web Gateway does not function after making changes to ldap_lib.pm, restore the prior |
| | 215 | datestamped backup. |
| | 216 | |
| | 217 | '''Note:''' EDIRTEST/cgi-bin changes are subsequently copied to the PREP and PROD cgi-bin |
| | 218 | directories on the e-box hosts. |
| | 219 | |
| | 220 | ####################### |
| | 221 | NOTES |
| | 222 | |
| | 223 | 1. It appears that if an attribute is added to the directory but not to the registry, the update |
| | 224 | back end will continue to function normally. This is not intended to suggest that adding |
| | 225 | attributes to the directory but not the registry is a good idea. |
| | 226 | |
| | 227 | 2. It appears that the only code in which this table is referenced is the stored procedures in |
| | 228 | create_package_edir.sql (i.e. the "registry EDIR procedure"), and the CLASS, ISUNIQUE and |
| | 229 | ATTRIBUTE columns are the only ones currently referenced. This is not to suggest that it is |
| | 230 | a good idea to omit fully documenting attributes by adding entries for them to this table. |
| | 231 | |
| | 232 | 3. It appears that each row of the LDAP_CLASS_ATTRIBS table describes one directory attribute. |
| | 233 | The column definitions of the LDAP_CLASS_ATTRIBS table are something like: |
| | 234 | |
| | 235 | CLASS - the object class to which the attribute belongs, e.g. eduPersonAffiliation belongs |
| | 236 | to the eduPerson object class. |
| | 237 | ATTRIBUTE - attribute name, e.g. eduPersonAffiliation |
| | 238 | PRIVILEGED - don't know exactly what this column means, but it is Y for these attributes: |
| | 239 | userPassword |
| | 240 | defaultPassword |
| | 241 | uakSecQuestion |
| | 242 | uakSecResponse |
| | 243 | and NULL otherwise. |
| | 244 | SELFSERVE - this appears to be Y for attributes which can be changed via self-service and |
| | 245 | NULL otherwise. |
| | 246 | STATIC - this column appears to be Y for attributes which normally do not change over the |
| | 247 | lifetime of the entry, currently: |
| | 248 | c(ountry) |
| | 249 | o(rganization) |
| | 250 | uid |
| | 251 | ou |
| | 252 | and NULL otherwise. |
| | 253 | SOURCE - this column seems to contain an abbreviation representing from where in Banner the |
| | 254 | datum was drawn: |
| | 255 | bgen (Banner General?) |
| | 256 | bhr (Banner HR?) |
| | 257 | bfac (Banner ?) |
| | 258 | bstu (Banner ?) |
| | 259 | it is always NULL when SELFSERV = Y. |
| | 260 | ISUNIQUE - this column appears to be Y (or in one case T) for attributes intended to be single- |
| | 261 | valued. This intent is generally not enforced in the directory, and there are attributes |
| | 262 | defined as single-valued in the directory which are not defined as such in this table. |
| | 263 | DEFAULT_VALUE - this column appears to be the default for this attribute or else NULL. |
| | 264 | |
| | 265 | 4. It appears that every directory attribute except objectClass has a row in LDAP_CLASS_ATTRIBS. |
| | 266 | objectClass has a column (CLASS) in this table. Recall that the objectClass attributes in a |
| | 267 | directory entry list the object classes to which the entry belongs, and the attributes of the |
| | 268 | entry belong to one of the object classes. So the object class information is more appropriately |
| | 269 | stored in a column rather than a row. |
| | 270 | |
| | 271 | |
| | 272 | ####################### |
| | 273 | DOCUMENT CHANGE HISTORY |
| | 274 | |
| | 275 | 20081028 elm Added clarifying statements about need to remove directories from |
| | 276 | Equalizer mix before making schema changes and to make schema changes |
| | 277 | in all directory instances before enabling updates to new attributes. |
| | 278 | 20090622 mpa Added NOTES and miscellaneous small corrections. |
| | 279 | |
| | 280 | ========================================================================================== |
| | 281 | (eof) |