| Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-03 | 
 | 
| 
 | View PDF | 
This chapter describes collective attributes in Oracle Internet Directory and explains how to manage them.
This chapter contains the following topics:
Attributes shared by the entries comprising an entry collection are called collective attributes. Values of collective attributes are visible but not updatable to clients accessing entries within the collection. As administrator, you manage collective attributes by defining and modifying the associated collective attributes sub entry.
See Also :
RFC 3671 "Collective Attributes in the Lightweight Directory Access Protocol (LDAP)" and RFC 3672 "Subentries in the Lightweight Directory Access Protocol (LDAP)" athttp://www.ietf.org for more information.RFC 3671 describes a specific schema for collective attributes. If you want to, you can define and use the collective attribute schema exactly as described in the RFC. Oracle Internet Directory, however, extends the definition of collective attributes to make them easier to use.
According to RFC 3671, you must define each collective attribute schema before you can use it in the collective subentry. For example, if you want to use the telephone number attribute as a collective attribute, then you define the schema for the c-telephoneNumber in the directory like this:
( 2.5.4.20.1 NAME 'c-TelephoneNumber' SUP telephoneNumber COLLECTIVE )
In addition, the collective attribute must be multivalued.
Oracle extends the usage as follows:
You do not need a schema definition for a collective attribute. You can use any attribute as a collective attribute.
To make an attribute a collective attribute, create it in the collective subentry with the subtype collective.
A collective attribute can be either multivalued or single valued.
The rest of this chapter describes Oracle Internet Directory usage.
You create a collective attribute by defining a subentry. The following example defines a collective subentry for the entries under dc=mycompany,dc=com. This subentry causes TelephoneNumber and postalCode to be included as collective attributes in all the entries under dc=mycompany,dc=com:
Dn: cn=collective attributes, dc=mycompany,dc=com Cn: collective attributes Objectclass: subentry Objectclass: collectiveAttributeSubentry Objectclass: top Objectclass: extensibleobject TelephoneNumber;collective: 1234560000 PostalCode;collective: 98765
You can control which specific entries actually get collective attributes. You do this by using the subtreeSpecification attribute in the collective subentry. If no subtreeSpecification attribute is specified in the collective subentry then the collective attributes are included in all the child entries where the collective subentry is defined.
See Also :
RFC 3672 "Subentries in the Lightweight Directory Access Protocol (LDAP)" athttp://www.ietf.org for more details about the subtreeSpecification attribute.The next three sections provide examples of how to use the subtreeSpecification attribute.
You use the base keyword in the subtreeSpecification to limit a collective attribute to a subtree.
For example, to restrict collective attributes only to the subtree cn=users,dc=mycompany,dc=com, you can use the subentry previously shown for dc=mycompany,dc=com, but add a base value to the subtreeSpecification attribute in the collective subentry like this:
SubtreeSpecification: {base "cn=users"}
You use the minimum and maximum keywords in the subtreeSpecification attribute to control the number of RDNs from the base where collective attributes apply.
For example, if you want collective attributes to be added to the entries under ou=Americas,cn=users,dc=mycompany,dc=com but not to one level child entries of cn=users,dc=mycompany,dc=com, or two levels down from cn=users, dc=mycompany,dc=com, then define the subtreeSpecification as follows:
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4}
In this configuration, cn=john doe, ou=Americas,cn=users,dc=mycompany,dc=com gets the collective attributes, but cn=inbox,cn=2009,cn=emailFolder,cn=john doe, ou=Americas,cn=users,dc=mycompany,dc=com does not get the collective attributes because it is more than four levels from the base cn=users.
You can further exclude collective attributes from specific entries by using the specificExclusions, chopBefore, and chopAfter keywords. For example, if you do not want to add collective attributes to ou=Europe, define the subtreeSpecification as follows:
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe"} }
If you want the collective attributes to be included in a parent DN but not its child entries, define the specification filter like this:
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=Global User" } }
In this example, the entry cn=Global User,ou=all region,cn=users,dc=mycompany,dc=com gets the collective attributes, but the entry cn=emailFolder, cn=GlobalUser,ou=all region,cn=users,dc=mycompany,dc=com does not get the collective attributes.
If you want collective attributes to be included for a certain object class only, then specify the Object Identifier or name of the object class in the specificationFilter for the subtreeSpecicfication attribute. For example, to include the collective attributes to the objectclass person only, define the specification filter like this:
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=GlobalUser"},  specificationFilter item:person }
Alternatively, you could use:
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=GlobalUser"},  specificationFilter item:2.5.6.6 }
where 2.5.6.6 is the Object Identifier for objectclass person.
Examples of SpecificationFilter
You can use the keywords and, or, and not to further refine your subtreeSpecicfication, as follows:
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=GlobalUser"},  specificationFilter and:{ item:2.5.6.6, item:2.5.6.7} }
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=GlobalUser"},  specificationFilter or:{ item:2.5.6.6, item:2.5.6.7} }
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=GlobalUser"},  specificationFilter not:{ item:2.5.6.7} }
If you want some entries to have their own values for an attribute, instead of the collective attribute value, you can specifically add that attribute to those entries and add attribute collectiveExclusions:attributeName to that entry.If all the collective attributes needs to be excluded then add attribute excludeAllCollectiveAttributes: true to those entries. Doing so overrides the value of the collective attribute value. For example, if you add the TelephoneNumber attribute and the excludeAllCollectiveAttributes: true attribute to the entry cn=jane smith, ou=Americas,cn=users,dc=mycompany,dc=com, this entry will have its own value for TelephoneNumber instead of the collective attribute.
You can manage a collective attributes sub entry from the command line, like any other directory entry.
To create collective attributes, you define the collective subentry in an LDIF file using ldapadd, as follows:
ldapadd -p port_number -h host -D cn=orcladmin -q -f subentry.ldif
where the contents of subentry.ldif is something like this:
Dn: cn=collective attributes, dc=mycompany,dc=com
Cn: collective attributes
Objectclass: subentry
Objectclass: collectiveAttributeSubentry
Objectclass: top
Objectclass: extensibleobject
TelephoneNumber;collective: 1234560000
PostalCode;collective: 98765
SubtreeSpecification: {base "cn=users", minimum 2, maximum 4, specificExclusions { chopBefore: "ou=Europe", chopAfter: "cn=GlobalUser"},  specificationFilter not:{ item:2.5.6.7} }
Issue this command to modify the file:
ldapmodify -p 3060 -D "cn=orcladmin" -q -f mod_subentry.ldif
where mod_subentry.ldif is something like this:
dn: cn=collective attributes, dc=mycompany,dc=com changetype: modify replace: PostalCode;collective PostalCode;collective: 98768