NDS X-NDS_NOT_CONTAINER '1' 介绍

最新推荐文章于 2023-05-05 16:00:23 发布
原创最新推荐文章于 2023-05-05 16:00:23 发布 · 846 阅读
0 ·
CC 4.0 BY-SA版权
文章标签：
#permissions #object #schema #attributes #class #session
Java开源技术同时被 2 个专栏收录
78 篇文章
订阅专栏
LDAP
15 篇文章
订阅专栏
本文探讨了Novell目录服务(NDS)与轻量级目录访问协议(LDAP)模式的整合过程，详细介绍了NDS如何通过扩展LDAP模式来支持其特定属性及对象类，并解释了这些扩展项的具体含义。
地址：http://www.lrz-muenchen.de/services/sonstiges/mytumschema/draft-sermersheim-nds-ldap-schema-03.txt

DSObjectClassDescription = "(" whsp 
        numericoid whsp                     ; ObjectClass identifier 
        ["NAME" qdescrs] 
        ["DESC" qdstring] 
        ["OBSOLETE" whsp] 
        ["SUP" oids ]                       ; Superior ObjectClasses 
        [("ABSTRACT" / "STRUCTURAL" / "AUXILIARY") whsp] 
                                            ; default structural 
        ["MUST" oids]                       ; AttributeTypes 
        ["MAY" oids]                        ; AttributeTypes 
        ["X-NDS_NAMING" qdstrings] 
        ["X-NDS_CONTAINMENT" qdstrings] 
        ["X-NDS_NAME" qdstrings]            ; legacy NDS name  
        ["X-NDS_NOT_CONTAINER" qdstrings]   ; default container ('0') 
        ["X-NDS_NONREMOVABLE" qdstrings]    ; default removable ('0') 
         whsp ")" 
    
   The qdstrings following X-NDS_NAMING holds a list of all attribute 
   type names that may be used to name this object class. If this term 
   is not supplied when defining an object class, it will automatically 
   be filled with a list of all MUST and MAY attributes defined for 
   this object class that use any of the following syntaxes: Country 
   String, Directory String, IA5 String, and Printable String. 
    
   The qdstrings following X-NDS_CONTAINMENT contains a list of all 
   object class names that may contain this object class. In other 
   words, only entries that are of an object class listed here may be a 
   direct superior in the DIT to entries of this object class. If this 
   term is not included when defining an object class, it will be 
   automatically filled with ( 'c' 'o' 'ou' 'l' 'domain' ). 
    
   X-NDS_NAME is followed by a qdstrings that contains the legacy NDS 
   name for this object class. An example is ('Organizational Person'). 
   Because NDS was created before LDAP was defined, it sometimes 
   doesn't adhere to the exact same rules as LDAP. One such LDAP rule 
   is that the names of schema elements cannot contain anything other 
   than ASCII letters, the hyphen character and semicolon. NDS allows 
  
Sermersheim        Informational - Expires Jan 2003                  3 

                         LDAP Schema for NDS                 May 2002 
 
 
   spaces, colons, and others. For this reason, some schema elements 
   will have LDAP names that differ from the NDS names that they were 
   first known as. 
    
   Valid values for the qdstrings following X-NDS_NOT_CONTAINER are '0' 
   (false) and '1' (true). If true, instances of this object class may 
   not contain other object entries (it may be nothing other than a 
   leaf node). 
         
   Valid values for the qdstrings following X-NDS_NONREMOVABLE are '0' 
   (false) and '1' (true). If true, this object class SHALL NOT be 
   removed from the schema. 
    
         
4.4. Attribute Description 
    
   The NDSAttributeTypeDescription defined here, adds to the 
   AttributeTypeDescription, which is defined in section 4.2 of 
   [RFC2252]. The added terms, which begin with the characters  
   "X-NDS ", exist to describe NDS specific attribute constraints which 
   have not yet been adopted by LDAP attributes. 
    
   Lines have been folded for readability, transmissions of the 
   NDSAttributeTypeDescription do not contain newlines. The description 
   of whsp, qdescrs, qdstring, woid, numericstring, and noidlen are 
   given in section 4.3.2 of [RFC2252]. 
    
   NDSAttributeTypeDescription = "(" whsp 
        numericoid whsp                 ; AttributeType identifier 
        ["NAME" qdescrs]                ; name used in AttributeType 
        ["DESC" qdstring]               ; description 
        ["OBSOLETE" whsp] 
        ["SUP" woid]                    ; derived from this other 
                                        ; AttributeType 
        ["EQUALITY" woid]               ; Matching Rule name 
        ["ORDERING" woid]               ; Matching Rule name 
        ["SUBSTR" woid]                 ; Matching Rule name 
        ["SYNTAX" whsp noidlen whsp]    ; see section 4.3 of[RFC2252] 
        ["SINGLE-VALUE" whsp]           ; default multi-valued 
        ["COLLECTIVE" whsp]             ; default not collective 
        ["NO-USER-MODIFICATION" whsp]   ; default user modifiable 
        ["USAGE" whsp AttributeUsage]   ; default userApplications 
        ["X-NDS_NAME" qdstrings]        ; legacy NDS name  
        ["X-NDS_LOWER_BOUND" qdstrings] ; lower bound. default 
                                        ; ('0')(upper is specified in 
                                        ; SYNTAX) 
        ["X-NDS_UPPER_BOUND" qdstrings] ; reserved 
        ["X-NDS_NOT_SCHED_SYNC_IMMEDIATE" qdstrings] 
                                        ; default sched sync 
                                        ; immediate ('0') 
        ["X-NDS_NON_REMOVABLE" qdstrings] ; default false ('0') 
        ["X-NDS_PUBLIC_READ" qdstrings] ; default false ('0') 
  
Sermersheim        Informational - Expires Jan 2003                  4 

                         LDAP Schema for NDS                 May 2002 
 
 
        ["X-NDS_SERVER_READ" qdstrings] ; default false ('0') 
        ["X-NDS_HIDDEN" qdstrings]      ; default false ('0') 
        ["X-NDS_NEVER_SYNC" qdstrings]  ; default false ('0')  
        ["X-NDS_SCHED_SYNC_NEVER" qdstrings] 
                                        ; default schedule sync ('0') 
        ["X-NDS_NAME_VALUE_ACCESS" qdstrings] ; default false ('0') 
        ["X-NDS_BOTH_MANAGED" qdstrings]; default false ('0') 
        ["X-NDS_ENCRYPTED_SYNC" qdstrings] ; default false ('0') 
        ["X-NDS_FILTERED_REQUIRED" qdstrings] ; default false ('0') 
        ["X-NDS_FILTERED_OPERATIONAL" qdstrings] ; default false ('0') 
        whsp ")" 
    
   AttributeUsage = 
        "userApplications"     / 
        "directoryOperation"   / 
        "distributedOperation" /        ; DSA-shared 
        "dSAOperation"                  ; DSA-specific, value depends 
                                        ; on server 
    
   X-NDS_NAME is followed by a qdstrings that contains the legacy NDS 
   name for this attribute type. An example is ('Given Name'). Because 
   NDS was created before LDAP was defined, it sometimes doesn't adhere 
   to the exact same rules as LDAP. One such LDAP rule is that the 
   names of schema elements cannot contain anything other than ASCII 
   letters, the hyphen character and semicolon. NDS allows spaces, 
   colons, and others. For this reason, some schema elements will have 
   LDAP names that differ from the NDS names that they were first known 
   as. 
    
   Valid values for the qdstrings following X-NDS_LOWER_BOUND is a 
   quoted uint32string. This represents the lowest value that may be 
   used in this attribute. LDAP only allows for an upper bound (see the 
   definition of noidlen in RFC 2252) 
    
   Valid values for the qdstrings following  
   X-NDS_NOT_SCHED_SYNC_IMMEDIATE are '0' (false) and '1' (true). By 
   default, any update to an attribute value will cause a replica 
   synchronization session to occur within 10 seconds. If this flag is 
   set to true, updates to this attribute won't immediately initiate a 
   synchronization session, instead, a synchronization session will be 
   initiated within 30 minutes. At that time the updates will be 
   replicated to other servers. 
    
   The qdstrings following X-NDS_NON_REMOVABLE may either be '0' 
   (false) and '1' (true). If true, this attribute cannot be removed 
   from a class definition. This setting can only be set by the system 
   and is read-only. 
    
   Valid values for the qdstrings following X-NDS_PUBLIC_READ are '0' 
   (false) and '1' (true). Setting this value to true indicates that 
   anyone can read the attribute without read privileges being 
   assigned. The use of ACL's to restrict the access to this attribute 
  
Sermersheim        Informational - Expires Jan 2003                  5 

                         LDAP Schema for NDS                 May 2002 
 
 
   will be ineffective. 
    
   Valid values for the qdstrings following X-NDS_SERVER_READ are '0' 
   (false) and '1' (true). When this is true, server class objects can 
   read the attribute even though the privilege to read has not been 
   granted. Clients cannot set or modify this value. 
    
   Valid values for the qdstrings following X-NDS_HIDDEN are '0' 
   (false) and '1' (true). It specifies (when true) that the attribute 
   is hidden from user applications. Typically these attributes are 
   also operational (server generated). This setting is read-only. 
    
   Valid values for the qdstrings following X-NDS_NEVER_SYNC are '0' 
   (false) and '1' (true). True here, indicates that this attribute is 
   never synchronized on other replicas. Clients may not set or modify 
   this value. 
    
   Valid values for the qdstrings following X-NDS_SCHED_SYNC_NEVER are 
   '0' (false) and '1' (true). If this flag is set to true, updates to 
   this attribute will not cause a synchronization session to be 
   scheduled. Note that this flag does not prevent the attribute from 
   being synchronized like the X-NDS_NEVER_SYNC does. Once a 
   synchronization session is initiated by another process, the updates 
   to this attribute will be replicated. After the creation of an 
   AttributeType, this field cannot be updated. 
    
   Valid values for the qdstrings following X-NDS_NAME_VALUE_ACCESS are 
   '0' (false) and '1' (true). This is specified only when the 
   attribute uses a Distinguished Name syntax. It specifies (when true) 
   that the subject (user) must have management rights (write 
   permissions on the acl attribute) to the entry which the DN names, 
   that is being added or removed from this attribute. In other words, 
   if this is set on my 'friends' attribute, I can't add your DN to my 
   list of friends unless I have write permissions to your acl 
   attribute. For those who are familiar with legacy NDS access APIs, 
   this is the "Write Managed" flag and is renamed here for clarity. 
    
   Valid values for the qdstrings following X-NDS_BOTH_MANAGED are '0' 
   (false) and '1' (true). This is specified only when the attribute 
   uses a Distinguished Name syntax. It specifies (when true) that the 
   subject (user) must have management rights (write permissions on the 
   acl attribute) to the entry which the DN names, that is being added 
   or removed from this attribute as well as management rights to the 
   entry being written to. In other words, if this is set on my 
   'friends' attribute, I can't add your DN to my list of friends 
   unless I have write permissions to your acl attribute, and write 
   permissions to my acl attribute. 
    
   Valid values for the qdstrings following X-NDS_ENCRYPTED_SYNC are 
   '0' (false) and '1' (true). It specifies (when true) that values of 
   this attribute are encrypted during the synchronization process. 
    
  
Sermersheim        Informational - Expires Jan 2003                  6 

                         LDAP Schema for NDS                 May 2002 
 
 
   Valid values for the qdstrings following X-NDS_FILTERED_REQUIRED are 
   '0' (false) and '1' (true). It specifies (when true) that this 
   attribute will be present on filtered replicas, even if the filter 
   is set to prevent it. 
    
   Valid values for the qdstrings following X-NDS_FILTERED_OPERATIONAL 
   are '0' (false) and '1' (true). It specifies (when true) that this 
   attribute on an external reference will exist on a filtered replica 
   even if the filter is set to prevent it 
    
    
5. Syntaxes 
    
   The NDSSyntaxDescription defined here, adds to the 
   SyntaxDescription, which is defined in section 4.3.3 of [RFC2252]. 
   The added terms, which begin with the characters  
   "X-NDS ", exist to describe NDS specific information. 
    
   Lines have been folded for readability, transmissions of the 
   NDSSyntaxDescription do not contain newlines. The description of 
   whsp, qdstring, and numericoid are given in section 4.1 of 
   [RFC2252]. 
    
   NDSSyntaxDescription = "(" whsp 
        numericoid whsp                 ; Syntax identifier 
        [ "DESC" qdstring ]             ; description 
        [ "X-NDS_SYNTAX" qdstrings ]    ; legacy NDS syntax identifier  
        whsp ")" 
    
   NDS servers MUST, and Clients that wish to operate with NDS servers 
   SHOULD recognize all the syntaxes described in this section. 
    
5.1 Case Ignore List 
    
   ( 2.16.840.1.113719.1.1.5.1.6 DESC 'Case Ignore List' ) 
    
   This syntax is the same as Postal Address (6.27 of [RFC2252]) except 
   there is no limitation of characters per line, nor number of lines. 
   NDS limits Postal Address to six strings. 
    
   Values in this syntax are encoded according to the following BNF: 
    
   caseIgnorelist = dstring *( "___FCKpd___0quot; dstring) 
    
   Backslashes and dollar characters are escaped as described in 6.27 
   of [RFC2252]. 
    
   The following ASN.1 data type is used to represent this syntax when 
   transferred in BER form (see 4.1): 
    
   caseIgnorelist ::= SEQUENCE OF LDAPString 
    
  
Sermersheim        Informational - Expires Jan 2003                  7 

                         LDAP Schema for NDS                 May 2002 
 
 
   Attributes of this syntax match for equality using 
   caseIgnoreListMatch (2.5.13.11) 
    
5.2 Tagged Data 
    
   ( 2.16.840.1.113719.1.1.5.1.12 DESC 'Tagged Data' )