6.1 Using the Manage Schema Tool
To open the Manage Schema tool, right-click an Identity Vault object (in the Modeler or Outline View), then select .
If a custom schema in the production environment needs to be tested, you can import the schema into Designer. After you have tested and modified the schema, you can deploy it into the production environment. For information about importing schema, see Section 6.6, Importing the Schema.
The Manage Schema tool lets you add, delete, rename, and modify classes and attributes in the Identity Vault schema. The class information and the attribute information is organized into separate tabs in the Manage Schema tool.
6.1.1 The Classes Tab
From the tab, the Manage Schema tool lets you add, delete, rename, and modify schema classes.
The tab includes the following components:
Classes List Toolbar
The Classes list includes the following tools:
Table 6-1 Classes List Toolbar
|
Launches the New Class Wizard to create a new Identity Vault class. |
|
Renames any non-base class. You cannot rename base classes. |
|
Deletes any non-base class. You cannot delete base classes. |
|
Adds descriptive notes to any non-base class.You cannot add notes to base classes. |
Only Show Changes
The checkbox is below the Classes list. When selected, the Classes list displays only those classes that are not part of the base schema, as defined in BaseIVSchema.xml. If no non-base classes exist, the Classes list is empty.
Deselect Only Show Changes to see a complete list of base and non-base classes in the Identity Vault schema.
ASN1
Specifies the class’s “Abstract Syntax Notation number One” ID. The ASN1 ID is important is you plan to make the schema definition publicly available.
If you register your schema definition with Novell, Novell assigns your class an ASN1 ID. This unique identifier eliminates the possibility of schema collisions caused by duplicate schema names with different definition structures.
For more information about ASN1, visit the ASN.1 Consortium.
Flags
The Flags options let you modify the class type:
Table 6-2 Supported Class Types
|
You can create an instance of the defined object in the Identity Vault. |
|
Only used to define other classes. You cannot create an object of a noneffective class. |
|
Combines attributes to be added to other classes by extending the object class attribute. |
|
Sets the object as a container object instead of a leaf object. If it is set to container, this object can contain other objects. |
Show Inherited Associations
The Show Inherited Associations checkbox determines whether the Associations list displays all attributes associated with a class. When selected (the default), the Associations list displays both assigned and inherited attributes. When deselected, the Associations list displays only assigned attributes.
NOTE:When you select , you cannot delete entries from the Associations list.
Associations List
The Associations List displays the classes and attributes associated with the selected class. The Associations List includes four tabs, each with a toolbar.
The tab includes the following tools:
A class can inherit attributes from more than one super class. The super class that every class inherits from is Top. No class exists above Top. For example, Group inherits directly from Top, but User inherits from Organizational Person. Organizational Person inherits from Person. Person inherits from ndsLoginProperties, and ndsLoginProperties inherits from Top.
The tab includes the following tools:
The tab includes the following tools:
The tab includes the following tools:
6.1.2 The Attributes Tab
From the tab, the Manage Schema tool lets you add, delete, rename, and modify attributes associated with schema classes.
The tab includes the following components:
Attribute List Toolbar
The Attributes list includes the following tools:
Table 6-3 Classes List Toolbar
|
Launches the New Class Wizard to create a new attribute. |
|
Renames the selected non-base attribute. You cannot rename base attributes. |
|
Deletes the selected non-base attribute. You cannot delete base attributes. |
|
Adds descriptive notes to any non-base attribute.You cannot add notes to base classes. |
Only Show Changes
The checkbox is below the Attributes list. When selected, the Attributes list displays only those attributes that are not part of the base schema, as defined in BaseIVSchema.xml. If no non-base attributes exist, the Attributes list is empty.
Deselect Only Show Changes to see a complete list of base and non-base attributes in the Identity Vault schema.
Flags
Attribute flags specify the information that is stored in the attribute and limit the list of acceptable operations that the Identity Vault, and eDirectory clients, can perform on the attribute.
Table 6-4 Supported Attribute Flags
|
Allows anyone to read this attribute without the read privilege specifically assigned. You can’t use inheritance masks to prevent an object from reading attributes with this constraint. |
|
When the attribute is modified, it is synchronized immediately to all of the servers in the replica ring. |
|
Only the eDirectory server process can read this attribute. |
|
Allows only string information to be stored in the attribute. |
|
Explicit rights are granted before this attribute can be changed. In order to modify this attribute, users must have managed rights on the object to change the attribute. |
|
Only the eDirectory server process can read this attribute. |
|
Allows one value to be stored in the attribute. |
|
Allows one value to be stored in the attribute. |
|
The attribute can be read by an NCP™ server object even though the right to read is not inherited or explicitly granted. The NCP server object is always able to read this attribute, regardless of the rights granted in the ACL. |
|
Limits the range of values supported by the attribute to some subset of those supported by the attributes data type.
For example, you might restrict an Integer attribute to only accept values between 1 and 100. |
ASN1
Specifies the attribute’s “Abstract Syntax Notation number One” ID. The ASN1 ID is important is you plan to make the schema definition publicly available.
If you register your schema definition with Novell, Novell assigns your attribute an ASN1 ID. This unique identifier eliminates the possibility of schema collisions caused by duplicate schema names with different definition structures.
For more information about ASN1, visit the ASN.1 Consortium.
Syntax
An attribute syntax defines a standard data type that an attribute uses to store its values in the Identity Vault. Each attribute must have a syntax. Table 6-5 describes the available syntaxes for Identity Vault attributes.
Table 6-5 Syntax for Attributes
Back Link |
The field identifies the backlinked object on the server, and the field identifies the server holding an external reference. |
Boolean |
Two Boolean attributes match for equality if they are both True or both False. True is represented as one (1), and False is represented as zero (0). Any attribute defined by using this syntax is single valued. |
Case Exact String |
Attributes using this syntax can set size limits. Two Case Exact Strings match for equality when they are of the same length and their corresponding characters are identical. |
Case Ignore List |
Two Case Ignore Lists match for equality if the number of strings in each is the same, and all corresponding strings match. For two corresponding strings in the list to match, they must be the same length and their corresponding characters must be identical (according to the rules for case ignore strings). |
Case Ignore String |
Used in attributes whose values are strings and where the case (upper or lower) is ignored. |
Class Name |
Used to match two class names where the case (upper or lower) is ignored. |
Counter |
The attribute is single valued. The syntax is similar to Integer, except that any value added to an attribute is arithmetically added to the total, and any value deleted is arithmetically subtracted from the total. |
Distinguished Name |
The attribute is the distinguished name of the object up to 256 Unicode* characters. This is not case sensitive. |
EMail Address |
Used to match attributes whose values are e-mail addresses and whose lengths and corresponding characters are identical; however, it ignores case (upper and lower). Only the EMail Address attribute uses this syntax. |
Facsimile Telephone Number |
Facsimile Telephone Number values are matched based on the field. The rules for matching fax telephone numbers are identical to those for the Case Exact syntax except that all space and hyphen (-) characters are skipped during the comparison. Only the Facsimile Telephone Number attribute uses this syntax. |
Hold |
This syntax is an accounting quantity, which is an amount tentatively held against a subject’s credit limit, pending completion of a transaction. In the wire format, the field is the distinguished name of the object. The Identity Vault treats the Hold amount similarly to the Counter syntax, with new values added to or subtracted from the base total. If the evaluated Hold amount goes to 0 (zero), the Hold record is deleted. |
Integer |
The attribute is an integer. Attributes using this syntax can set size limits. |
Interval |
The Interval value is the number of seconds in a time interval. |
Net Address |
Stores the network address as a binary string. The string is the literal value of the address. It lists the type of communication protocol used. |
Numeric String |
Two numeric strings match for equality when they are of the same length and their corresponding characters are identical. It matches the digits 0-9 and spaces if they are contained in the numeric string. |
Object ACL |
An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL entry is to apply to the object as a whole, the protected attribute name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL entry. |
Octet List |
A presented octet list matches a stored list if the presented list is a subset of the stored list. Octet strings are so designated because they are not interpreted by the Directory. They are simply a series of bits with no Unicode implications.
The length is the number of bits divided by 8 and rounded to the nearest integer. Thus, each octet represents eight bits of data. The number of data bits is always evenly divisible by 8. |
Octet String |
For two octet strings to match, they must be the same length and the corresponding bit sequence (octets) must be identical. When comparing two strings, the first pair of octets that do not match are used to determine the order of the strings. Octet strings are not Unicode strings. |
Path |
The string represented by the path field is compared for equality using the same rules that Case Exact String uses. That is, two paths match for equality when their lengths and corresponding characters, including case, are identical. |
Postal Address |
An attribute value for Postal Address is typically composed of selected attributes from the MHS Unformatted Postal O/R Address version 1 according to Recommendation F.401. The value is limited to 6 lines of 30 characters each, including a Postal Country Name. Normally the information contained in such an address could include a name, street address, city, state or province, postal code, and possibly a postal office box number depending on the specific requirements of the named object. |
Printable String |
The following characters are in the printable string character set. A...Z a...z 0...9 Space Character ‘ Apostrophe ( Left Parenthesis ) Right Parenthesis + Plus Sign , Comma - Hyphen . Period / Slash : Colon = Equal Sign ? Question Mark
Two printable strings match for equality when they are the same length and their corresponding characters are identical. Case (upper or lower) is significant when comparing printable strings. For example, as printable strings, “Jones” and “JONES” do not match. |
Replica Pointer |
Each value of the replica pointer syntax is composed of five parts:
-
The complete name of the server that stores the replica.
-
A value describing a the capabilities of this copy of the partition: master, secondary, read-only, or subordinate reference.
-
A value indicating the current state of the replica (new, dying, locked, changing state, splitting, joining, or moving).
-
A number representing the replica. All replicas for a partition have a different number assigned when the replica is created.
-
A referral that contains a count of the addresses and one or more network addresses that hints at the node where the server probably resides. Because servers are accessible over different protocols, the server might have an address for each supported protocol.
|
Stream |
Streams are files of information. The data stored in a stream file has no syntax enforcement of any kind. It is purely arbitrary data, defined by the application that created and uses it. The attribute is single valued. |
Telephone Number |
The length of telephone number strings must be between 1 and 32. Two telephone numbers string match for equality when they are of the same length and their corresponding characters are identical. All spaces and hyphen (-) characters are skipped during the comparison. |
Time |
A time value consists of a whole number of seconds, where zero equals 12:00 midnight, January 1, 1970, UTC. |
Timestamp |
A Timestamp value contains three components:
-
The field consists of the whole number of seconds, where zero equals 12:00 midnight, January 1, 1970, UTC.
-
The field identifies the server that created the Timestamp. A replica number is assigned whenever a replica is created on a server.
-
The field is an integer that orders events occurring within the same whole-second interval. The event number restarts at one for each new second.
|
Typed Name |
The syntax names an Identity Vault object and attaches two numeric values to it:
The the objectName or Distinguished Name identifies the Identity Vault object referred to by the Typed Name. |
Unknown |
Unknown syntax is used to stop the loss of data, if the Identity Vault database becomes corrupted. When an object becomes Unknown, there is information stored in this attribute that can allow the object to be recovered. This syntax is used by the Identity Vault. |
NOTE:The information in Table 6-5 comes from the Novell LogicSource for eDirectory. LogicSource is a subscription-based service Novell provides to its customers. For more information about LogicSource, see Novell Technical Subscriptions.
Show Inherited Associations
The checkbox determines whether the Associations list displays all classes associated with an attribute. When selected (the default), the Associations list displays both assigned and inherited classes. When deselected, the Associations list displays only assigned classes.
The schema allows for inheritance of other attributes from super classes. If you select this item, all attributes that are associated with a class, whether assigned or inherited, are listed. If you don’t select this item, only the assigned attributes are listed.
lists all classes that use the selected attribute. If you select , the list includes classes that inherit the attribute.
Associations List
The Associations List displays the classes associated with the selected attribute. The Associations List toolbar lets you make changes to the classes associated with the attribute.