Novell Doc: Designer 2.0 for Identity Manager 3.5 - Creating Classes and Attributes

12.2 Creating Classes and Attributes

Designer allows you to create eDirectory classes and attributes to fit the needs of your environment. You can test and use the new schema with the Identity Manager drivers in Designer before implementing it in the production environment.

12.2.1 Creating eDirectory Classes

Adding a Class

In the Modeler, right-click the Identity Vault, then select Manage Vault Schema.
Select the Classes tab.

The Classes tab lists all classes that are defined in the schema and stored in Designer.
Decide whether to show changes.

The Only show changes option is below the Classes pane. This option enables you to see only classes that are different from the base schema (stored in the BaseIVSchema.xml file). If the base schema is unchanged, the list is empty.
Click the Add a Class icon on the Classes toolbar.
Specify the name of the class (for example, EmpInfo), and (if applicapable) an ASN1 ID, then click OK.

If you register your schema definition with Novell, Novell provides an ASN1 number. It resolves the possibility of schema collisions caused by duplicate schema names with different definition structures. You register your schema definition if you want to make the schema definition publicly available.

Select the type of class (for example, Effective Class), then click Next.

Flag	Description
Effective	You can create an instance of the defined object in the eDirectory tree.
Noneffective	Only used to define other classes. You cannot create an object of a noneffective class.
Auxiliary	Combines attributes to be added to other classes by extending the object class attribute.
Non Removable	Sets the class so it cannot be removed from the schema.
Container	Sets the object as a container object instead of a leaf object. If it is set to container, this object can contain other objects.

Select the classes that the new class will inherit from, then click Next.

Select a class in the Available classes pane and move it to the Inherited classes pane.
Select the mandatory attributes, then click Next.

The inheritances that display in the Inherited mandatory attributes pane depend upon the class that you selected.
Select optional attributes, then click Next.

The Inherited optional attributes pane lists default optional inheritances.
Select the naming attributes, then click Next.

The eDirectory schema allows for inheritance from other classes. A class that another class inherits from is called a super class. A class can inherit attributes from more than one super class.

Every class inherites from the super class Top. No class exists above Top. For example, Group inherits directly from Top, but User inherits from Organizational Person. Organizational Person inherits from Person. Person inherits from ndsLoginProperties, and ndsLoginProperties inherits from Top.
Select the containment classes.

In eDirectory, an object is a leaf object or a container object. For example, if you select the class Group, the Manage Schema tool lists the domain, Organization, and Organizational Unit classes, which can contain the Group class
Review the summary, then click Finish.

The new class appears in the Classes pane.
Save the settings by clicking OK.

Show inherited associations.

Attributes: If you select Show inherited associations, Designer lists all attributes that are associated with a class, whether assigned or inherited. If you don’t select this option, only the assigned attributes are listed.

The Attributes tab also lists the type of attributes. For example, the class Group has a naming attribute of CN and a mandatory attribute of CN. All of the other attributes in the list are optional attributes.

You can add and delete attributes from the selected class by selecting the proper icon.

Super: The eDirectory schema allows for inheritance from other classes. A class that another class inherits from is called a super class. The Super tab lists the selected class’s immediate super class.

A class can inherit attributes from more than one super class. The super class that every class inherits from is Top. No class exists above Top. For example, Group inherits directly from Top, but User inherits from Organizational Person. Organizational Person inherits from Person. Person inherits from ndsLoginProperties, and ndsLoginProperties inherits from Top

Sub: The Sub tab list all classes that inherit from the selected class. If a class isn’t listed in the Sub tab, no classes inherit from the selected class.

Containment: In eDirectory, an object is a leaf object or a container object. The Containment tab lists other classes that can contain the selected class.

For example, if you select the class Group, the Manage Schema tool lists the domain, Organization, and Organizational Unit classes, which can contain the Group class.

Class Field	Description
Add Naming	Adds a naming attribute to the class that is selected.
Add Mandatory	Adds a mandatory attribute to the class that is selected.
Add Optional	Adds an optional attribute to the class that is selected.
Delete	Deletes an attribute from being associated with the select class.

Document the class.

If you select Document this Class, Designer documents information on the class when you run Document Generation.

Icons and Fields in the Classes Page

The following tables explains icons in the Classes toolbar:

Table 12-1 Icons in the Classes Toolbar

Icon	Description
Add a class	Creates an eDirectory class.
Rename class	Renames any class that is not a base class. Not an available option for base classes.
Delete class	Deletes any class that is not a base class. Not an available option for base classes.
Schema Notes	Enables you to add notes about any class you create. Not available for base classes.
Help	Launches the help for the Manage Schema tool.

Adding a Note

Designer allows you to add notes about any class you create. The information is stored as desc in the .ldif file and as a note in the .sch file.

Select the class you want to add a note to, then click the Schema Notes icon.
Type the note in the window, then click OK.

12.2.2 Creating eDirectory Attributes

How to Create eDirectory Attributes

In the Modeler, right-click the Identity Vault, then select Manage Vault Schema.

By default, the Classes tab is active. If you want to view or modify attributes for a particular class, select that class before you select the Attributes tab.
Select the Attributes tab.

The Attributes pane lists all attributes that are defined in the schema and stored in Designer. You can view all attributes at once, or view the attributes associated with a specific class. When you select a class from the drop-down list, the attributes associated with that class are listed.
Decide whether to show changes.

The Only show changes option is below the Attributes pane. This option enables you to see only attributes that are different from the base schema (stored in the BaseIVSchema.xml file). If the base schema is unchanged, the list is empty.
Click the Add an Attribute icon .
Specify the name of the new attribute (for example, EmpID) and (if applicable) an ASN1 ID, then click Next.

If you register your schema definition with Novell, Novell provides an ASN1 number. It resolves the possibility of schema collisions caused by duplicate schema names with different definition structures. You register your schema definition if you want to make the schema definition publicly available.
Select the syntax, then click Next.

An attribute syntax defines a standard data type that an attribute uses to store its values in the eDirectory tree. Syntax is required for each attribute. See Table 12-2.

Select the flags or constraints for the attribute.

The following figure illustrates the constraints that display on the Manage Schema tool.

The constraints restrict the information that is stored in the data type and constrain the operations of eDirectory and eDirectory clients.

Constraint	Description
Public Read	Allows anyone to read this attribute without the read privilege specifically assigned. You can’t use inheritance masks to prevent an object from reading attributes with this constraint.
Sync Immediate	When the attribute is modified, it is synchronized immediately to all of the servers in the replica ring.
Read Only	The attribute is available to be read, but it cannot be modified.
String	Allows only string information to be stored in the attribute.
Write Managed	Explicit rights are granted before this attribute can be changed. In order to modify this attribute, users must have managed rights on the object to change the attribute.
Non Removable	The attribute cannot be deleted from schema.
Hidden	Only applications running on a NetWare® server can use this attribute.
Single Valued	Allows one value to be stored in the attribute.
Per Replica	Allows one value to be stored in the attribute.
Server Read	The attribute can be read by an NCP™ server object even though the right to read is not inherited or explicitly granted. The NCP server object is always able to read this attribute, regardless of the rights granted in the ACL.

Review the summary of values, then click Finish.

The new attribute appears in the Attribute pane.
Specify size.

If the size of the schema definition is limited, select Sized, then specify the size in decimal form.

The following figure illustrates the Sized field in the Manage Schema tool. The example in this figure has no value.

This value is the length of the schema definition in the eDirectory database, in bytes. The tool accepts the information in decimal form. In order to use the information, the eDirectory database converts it to hexadecimal.
Show inherited associations.

The schema allows for inheritance of other attributes from super classes. If you select this item, all attributes that are associated with a class, whether assigned or inherited, are listed. If you don’t select this item, only the attributes assigned are listed.

Used by Classes lists all classes that use the selected attribute. If you select Show inherited associations, the list includes classes that inherit the attribute.

Specify an attribute type.

The dialog box to add or delete attributes

The attribute types help define the class.

Icon	Description
Add Naming	Adds the selected attribute to a class as a naming attribute.
Add Mandatory	Adds the selected attribute to a class as a mandatory attribute.
Add Optional	Adds the selected attribute to a class as an optional attribute
Delete	Deletes a class from being associated with the selected attribute.

Select the class to associate with the attribute.
Save changes by clicking OK.

Syntax for Attributes

The following information from Novell LogicSource for eDirectory gives details about the eDirectory schema. LogicSource is a subscription-based service Novell provides to its customers. This section contains only a small portion of the information available in LogicSource for eDirectory. For more information about LogicSource, see Novell Technical Subscriptions.

Table 12-2 Syntax for Attributes

Syntax	Description
Back Link	The remoteID field identifies the backlinked object on the server, and the objectName field identifies the server holding an external reference.
Boolean	Two Boolean attributes match for equality if they are both True or both False. True is represented as one (1), and False is represented as zero (0). Any attribute defined using this syntax is single valued.
Case Exact String	Attributes using this syntax can set size limits. Two Case Exact Strings match for equality when they are of the same length and their corresponding characters are identical.
Case Ignore List	Two Case Ignore Lists match for equality if the number of strings in each is the same, and all corresponding strings match. For two corresponding strings in the list to match, they must be the same length and their corresponding characters must be identical (according to the rules for case ignore strings).
Case Ignore String	Used in attributes whose values are strings and where the case (upper or lower) is ignored.
Class Name	Used to match two class names where the case (upper or lower) is ignored.
Counter	The attribute is single valued. The syntax is similar to Integer, except that any value added to an attribute is arithmetically added to the total, and any value deleted is arithmetically subtracted from the total.
Distinguished Name	The attribute is the distinguished name of the object up to 256 Unicode^* characters. This is not case sensitive.
EMail Address	Used to match attributes whose values are e-mail addresses and whose lengths and corresponding characters are identical; however, it ignores case (upper and lower). Only the EMail Address attribute uses this syntax.
Facsimile Telephone Number	Facsimile Telephone Number values are matched based on the telephone number field. The rules for matching fax telephone numbers are identical to those for the Case Exact syntax except that all space and hyphen (-) characters are skipped during the comparison. Only the Facsimile Telephone Number attribute uses this syntax.
Hold	This syntax is an accounting quantity, which is an amount tentatively held against a subject’s credit limit, pending completion of a transaction. In the wire format, the Subject field is the distinguished name of the object. eDirectory treats the Hold amount similarly to the Counter syntax, with new values added to or subtracted from the base total. If the evaluated Hold amount goes to 0 (zero), the Hold record is deleted.
Integer	The attribute is an integer. Attributes using this syntax can set size limits.
Interval	The Interval value is the number of seconds in a time interval.
Net Address	Stores the network address as a binary string. The string is the literal value of the address. It lists the type of communication protocol used.
Numeric String	Two numeric strings match for equality when they are of the same length and their corresponding characters are identical. It matches the digits 0-9 and spaces if they are contained in the numeric string.
Object ACL	An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL entry is to apply to the object as a whole, the protected attribute name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL entry.
Octet List	A presented octet list matches a stored list if the presented list is a subset of the stored list. Octet strings are so designated because they are not interpreted by the Directory. They are simply a series of bits with no Unicode implications. The length is the number of bits divided by 8 and rounded to the nearest integer. Thus, each octet represents eight bits of data. The number of data bits is always evenly divisible by 8.
Octet String	For two octet strings to match, they must be the same length and the corresponding bit sequence (octets) must be identical. When comparing two strings, the first pair of octets that do not match are used to determine the order of the strings. Octet strings are not Unicode strings.
Path	The string represented by the path field is compared for equality using the same rules that Case Exact String uses. That is, two paths match for equality when their lengths and corresponding characters, including case, are identical.
Postal Address	An attribute value for Postal Address is typically composed of selected attributes from the MHS Unformatted Postal O/R Address version 1 according to Recommendation F.401. The value is limited to 6 lines of 30 characters each, including a Postal Country Name. Normally the information contained in such an address could include a name, street address, city, state or province, postal code, and possibly a postal office box number depending on the specific requirements of the named object.
Printable String	The following characters are in the printable string character set. A...Z a...z 0...9 Space Character ‘ Apostrophe ( Left Parenthesis ) Right Parenthesis + Plus Sign , Comma - Hyphen . Period / Slash : Colon = Equal Sign ? Question Mark Two printable strings match for equality when they are the same length and their corresponding characters are identical. Case (upper or lower) is significant when comparing printable strings. For example, as printable strings, “Jones” and “JONES” do not match.
Replica Pointer	Each value of the replica pointer syntax is composed of five parts: The complete name of the server that stores the replica. A value describing a the capabilities of this copy of the partition: master, secondary, read-only, or subordinate reference. A value indicating the current state of the replica (new, dying, locked, changing state, splitting, joining, or moving). A number representing the replica. All replicas for a partition have a different number assigned when the replica is created. A referral that contains a count of the addresses and one or more network addresses that hints at the node where the server probably resides. Because servers are accessible over different protocols, the server might have an address for each supported protocol.
Stream	Streams are files of information. The data stored in a stream file has no syntax enforcement of any kind. It is purely arbitrary data, defined by the application that created and uses it. The attribute is singled valued.
Telephone Number	The length of telephone number strings must be between 1 and 32. Two telephone numbers string match for equality when they are of the same length and their corresponding characters are identical. All spaces and hyphen (-) characters are skipped during the comparison.
Time	A time value consists of a whole number of seconds, where zero equals 12:00 midnight, January 1, 1970, UTC.
Timestamp	A Timestamp value contains three components: The wholeSeconds field consists of the whole number of seconds, where zero equals 12:00 midnight, January 1, 1970, UTC. The replicaNum field identifies the server that created the Timestamp. A replica number is assigned whenever a replica is created on a server. The eventID field is an integer that orders events occurring within the same whole-second interval. The event number restarts at one for each new second.
Typed Name	The syntax names an eDirectory object and attaches two numeric values to it: The level of the attribute indicates the priority. The interval indicates the frequency of references. The the objectName or Distinguished Name identifies the eDirectory object referred to by the Typed Name.
Unknown	Unknown syntax is used to stop the loss of data, if the eDirectory database becomes corrupted. When an object becomes Unknown, there is information stored in this attribute that can allow the object to be recovered. This syntax is used by eDirectory.