LDAP Schema Designer

Similar Messages

• Ldap schema extension to control which users / group are imported

  Hello,
  would like to have your opinion:
  would it be a good idea to implement ldap schema extensions to control
  which users / group are imported and controlled from ldap in a ldap
  mastered installation?
  e.g. we could implement the following schema extension for users:
  attributetype ( 1.3.6.1.4.1.<iana-org-id>.1.1 NAME ( 'BogusisBeehiveUser' )
       DESC ''
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )
  # BogusinetOrgPerson
  # The BogusinetOrgPerson is derived from inetOrgPerson
  objectclass     ( 1.3.6.1.4.1.<iana-org-id>.1
  NAME 'BogusinetOrgPerson'
       DESC 'RFC2798: Internet Organizational Person, plus Bogus Extensions'
  SUP inetOrgPerson
  STRUCTURAL
       MAY (
            BogusisBeehiveUser )
  Then we could control the inclusion in beehive by simply switching
  BogusisBeehiveUser on or off.

  sure; that's pretty much what is talked about in the Install Guide for LDAP Integration under the "inclusion and exclusion" section, about here:
  http://download.oracle.com/docs/cd/E14897_01/bh.100/e14830/ldap.htm#CHDEFFJF
  that doesn't go into the specifics of how you might want to design your objectClass schemas, though, as beehive is agnostic to that.
  If you don't want to provision all users that match a certain existing rule (like everyone under dn=foo, or everyone where userType=employee), then adding a new attribute and building the profile inclusion rule around it is a valid thing to do.
  richard

• URGENT!!!!! Schema design help

  Iam trying to design a schema with ActiveDirectory Application mode with the following requirements:
  Profile1: CM_VIEW &#61664; view equipment, search equipment
  Profile 2: CM_USR &#61664; All operations possible by CM_VIEW + create equipment objects, modify inventory, create and modify facilities attributes
  Profile 3: CM_FULL &#61664; All operations possible by CM_USR + delete equipment , facilities
  Profile 4: CM_ADM &#61664; All operations possible by CM_FULL + admin privilege for security management
  There are a list of user groups. This level is more like a container and no privilege is controlled at this level
  User Group1 : Admin
  User Group2: Manager
  User Group3: Operator
  Now this list of User groups can have one or more subgroups. The profiles need to be assigned at this level.
  Admin group: Admin1
  Manager group: NW Manager , Area1 Manager, Area2 Manager etc�
  Operator Group: NW Operator, Area1 Operator, Area2 Operator
  There is a single network which is divided into 5 area centers. User groups are given access to the whole network or specific area center.
  Whole NW access : Admin1, NW Manager with whatever profiles assigned to them
  Area1 access : Area1 Manager, Area1 Operator with whatever profiles assigned to them
  As Iam a novice with ADAM, I seek some help to get my schema designed. Iam very confused about
  - whether the default AD schema would suffice
  - do I need to create my own class
  - do I need to add my own attributes to existing classes
  - If so, should I consider all the operations defined in the profile as user defined attributes?
  I could not get specific information for the stuff Iam searching for and Iam struggling to get the shema designed. It is quite urgent and Any help in this area would be greatly appreciated

  There would be several ways to solve this problem.
  First of all, the schema. You have threee choices;
  1. Extend an existing class.This is when the existing class meets your requirements (searching, differentiation) but needs a few more attributes
  2. Derive a new subclass from an existing class. This is when you want to differentiate your class, but inherit features from an existing class.
  3. Create a new class, when no existing class meets your requirements
  For option 1, best way to do this is create an auxilliary class and add it to the existing class. (Eg. create an auxilliary class called clothing sizes, add attributes height, waist, hat size,shoe size,and then add the class to the existing user class)
  For option 2, you may want a class called football player, so you create a new class called footballplayer, derived fromthe existing user class.You may add new attributes such as football team, playing position.
  For option 3, you may want to create an entirely newclass to represent a football stadium, with both existing attributes such as address, city and new attributes such as seating capacity
  So in your case, users & administrators would normally just be user or inetOrgPerson class objects. Equipment & facilities may require their own classes.
  Next thing is to use organisationaUnits (OU's) as the boundaries for delegating administrative permissions. For each area, Area 1, Area 2, ...,Area n, create an organizational unit.
  Then you have two methods to enforce role based access control.
  The first is to use is to use the Windows security model to enforce the object access.
  Create groups to represent CM_VIEW, CM_USR, CM_FULL, CM_ADM roles, perhaps even groups such as Area_1_CM_USR
  Then grant the following permissions on the OU.
  CM_VIEW - read/list eqpt class objects
  CM_USR - read/write/list/create/delete eqpt class objects, read/list/write/create facilities
  CM_FULL - read/write/list/create/delete eqpt class objects, read/list/write/create/delete facilities
  CM_ADM - full permissions on the OU.
  You can either define these ACL's on the OU's so the permissions apply to all objects in the OU, or define them on the schema definitions so that as new objects are instantiated they have the default permissions applied. As you want to differentiate access at the OU level, don't worry about the default schema permissions, just set the ACL's on each OU.
  The problem you would have is using Java/JNDI to manage the ACL's (writing the security descriptors on the OU or object classes.).Far easier to use either the WIndows API's, Windows scripting interfaces (ADSI), LDIF files or Windows UI components (ADSIEdit).
  You may want to do all the schema extension and ACL's with Windows tools,coz they're easier and use Java/J2EE for your application development.
  The second approach is to apply the role based access controls within your application. The security risk with this approach is that it may be possible for someone to subvert the security in your application by accessing the directory directly.

• X.509 PKI LDAP Schema for OID

  Hi,
  my question is about availability X.509 PKI LDAP Schema for OID. Does anyone know if it is possible to import already predefined schema into OID?
  Is it neccessary to folow RFC2587 and define the schema by hand?
  Any response and advice appreciated.
  Petr
  P.S.
  I am quite new in the area of OID so some my questions may seem incomrehensible.

  Hello Petr:
  You most certainly can load your own custom schema items into OiD. A few things to keep in mind when you do this.
  Make sure you load the attributes first.
  Then your objectclasses.
  Then your Catolog/indexes if you have any.
  Then load your directory entries.
  And last load any ACI's you may have.
  If you give me a few of your schema definitions I would be happy to give you an example of how to do this.
  There are many PKI venders out there and not all of them store certificates the same way. Some use standard schema attributes and others add their own custom attribute.

• What LDAP schema should I use with JMQ 2.0?

  I've just downloaded the JMS 2.0 beta for Solaris and trying to set up a admin objects store with LDAP server (NES 4.12). However I cannot find a LDAP schema file to import into the LDAP server in your release. Would it be possible to send me a copy?

  As far as I know, you don't need to import any LDAP schema into
  Netscape Directory Server 4.12 (I assume this is what you
  are using) to store the administered objects.
  Are you seeing "schema violation" errors when you use jmqobjmgr ?
  If that is the case, what lookup name are you using ? Does
  your lookup name have the form:
  "cn=myLookupName"
  In most cases (it can be overriden), LDAP servers require lookup names
  to have the above format.

• XML Schema Design question

  Hello all,
  I am a new to XML Schema design and struggling with designing my first XML Schema. Here is my problem.
  I have almost 200 elements in my database which I have to use to design XSDs, I have customer name ( last name, first name, dob etc) and customer address ( office address, home address etc) and at the same time I have other player such as Patient name ( last name, first name, dob etc) and patient address( home address, office address).
  And then we have some dollor related data such as patient insurance amount, copay amount , total amount and many more $.
  What I wanted to know is that what would be best approach to design a XML schema for such kind of system, should I create one schema (xsd) for all the 200 attributes or I should create seperate schema for customers ( including names and addresses along with other dollor amount data ) and a similar xsd for Patient data. Some of the XML documents which I will create from these schemas would be based on customers and patient information both .
  Thank you.
  Regards
  Suhail Ahmad

  It's hard to tell what is the best design. But in order to simplify access to these data through other program APIs such as JAXB, you may start from defining objects such as the schema types/elements for customer, patient and the addresses
  Then you can assoicate the related data to these object.

• Difference between database design and schema design

  Hi i have visited so many database websites and i found so many people saying we can design a data base for you. Is schema designing and database designing is the same. so many palces i find people saying we have to design data base first in order to create a physical databse. so i am little bit confused. are they same? and also what is the difference between data model and schema?

  > the definition i found for logical data model, physical data model and the definition you
  gave for logical database design, physical database design are the same.
  Not correct. The physical design is the implemetation of the logical design. These two designs are at different levels. Also, the logical design will be the same. irrespective of the RDBMS product use.
  What is incorrect is a designer/architect designing a logical design specifically for Oracle.. or specifically for SQL-Server. A logical design has nothing to do with the RDBMS product (or h/w platforms. app servers, web severs and operating systems used).
  So the logical design will always be the same - it is RDBMS independent.
  The physical design is fully dependent on the RDBMS product used. The same logical design will be implemented as different physical designs for Oracle and for SQL-Server.

• Schema Design

  Hello All,
  I couldn't find a better forum to post this but if you know of one, please tell me. I need to design a flexible schema for storing product catalog data. I can see 3 possible approaches although I'm sure there are others. 1) create a very specific relational model that's tightly coupled with the attributes of the products in the catalog 2) create a more generalized model where the attributes of the products are defined as name/value pairs 3) use XMLDB to store the definition of each product in an xml type schema.
  The problem with #1 is that it's very inflexible and can become complicated. If we have to add new products to the catalog that have different attributes than what we already store, we'll have to make a schema change. The problem with #2 is the obvious issue with name/value pairs (very large tables, indexing problems, data typing problems, etc). The problem with #3 is that I don't know a lot about it and I'm not sure it makes sense. I'm doing a lot of reading but would like to hear what others have to say about it.
  Can anyone offer any advice or point me to a good resource on the subject of designing schemas for this type of data. I'm wondering how places like Amazon and other large e-commerce shops store their product catalog data but haven't found anything to help me.
  Thanks,
  Mark

  my bad I didnt explain that correctly
  there is a activity template table and a activity schedule table
  a schedule holds many activy schedules, an activity template copies info (name, description, etc) into the activity schedule (that way if the template changes, schedules already made with that activity dont change)
  and then each activity schedule has 24 hour values

• Star schema design, metrics dimension or not.

  Hello Guys,
  I just heard from one of my colleagues that its wise to
  have an "KPI" or "metrics" dimension in my DWH star schema (later used in OBIEE).
  Now, we have quite a lot of data 100 000 rows per day (botton leve, non-aggregated, the aggregations are obviously far less then that, lets say 200 rows per day) and
  we have build pre-aggregated data marts for each of the 5 very static reports (OBIEE Publisher).
  The table structure is very simple
  e.g.
  Date,County,NumberofCars,RevenuePerCar, ExpensesPerCar, BreakEvenPerCar, CarType
  One could exclude the metrics "NumberofCars","RevenuePerCar", "ExpensesPerCar", "BreakEvenPerCar"
  and put them into a metrics dimension.
  MetricID Metric
  1 NumberofCars
  2 RevenuePerCar
  3 ExpensesPerCar
  4 BreakEvenPerCar
  and hence the fact table design would be simpler.
  Date,County,MetricID,Metric, CarType
  Disadvanatages: A join is required
  We would have to redesign our tables
  tables are not aggregated anymore for specific metric types
  if we notice performance is bad, we would need to go back to the old design
  Advantages : Should new metrics appear, we dont have to change the design of the tables
  its probably best practice
  Note: date, country and cartype are already dimensions. we are just missing one to differentiate the metrics/KPI's
  So I struggle a bit, what should I do? Redesign, or stick to the way I have done it, having
  performance optimization in mind.
  Thanks

  "Usually the date is stored in sales table or product table.
  ut here why they created separate Dimension table for date(Dim_date)? "
  You should provide the link.
  A good place to start with the basic concepts is :
  http://www.ralphkimball.com/
  Pick up some of his books and start going through them.
  My recommendation would be
  The Data Warehouse Toolkit, 2nd Edition: The Complete Guide to Dimensional Modeling
  John Wiley & Sons, 2002 (436 pages
  Good Luck.,

• Star schema design

  Hi,
  I know that in classical star schema the dimension tables sits within the info cube and so we cannot use this dimension table in any other cube we need to have separate dimension table for that cube thought it might be having same data. I also know to over come this redundancy extended star schema came into picture where we have SID table and we keep the dimension table out of the cube and reuse the dimension tables across many cubes.
  Now what i don't understand is that instead of having Separate SID tables for linking the dimension and fact tables   why cant we make the DIMENSION table generic and keep them out of the infocube so that we can same the same dimension table for many infocube in this case we wont need SID tables.
  suppose i have one info cube which has dimension vendor material and customer  and its keyfigure is quantity and price and i have a separate infocube which has dimesnion material  customer and location and its key figure is something else ......so here in why cant i keep the dimensions out of the infocube and use the dimension material  customer for both infocube.

  Your dimension tables are filled based on your transaction data - which is why dimension table design is very important  you decide to group related data for the incoming transaction data into your dimension tables .
  The dimension tables have SIDs which in turn point to master data = in the classic star schema - the dimension tables are outside the cube but the dim tables have the master data within them whhich is overcome using the extended star schema.
  The reason why dimension tables can be reused is that the dim IDs and SIDs in the simension table correspond to the transaction data in the cube - and unless the dim IDs in both your cubes match you cannot reuse the dim tables - which means that you have exactly the same data in both the cubes - which means you need not have two cubes with the same data.
  Example :
  Cube 1 : Fact Table
  Dim1ID | DIM2ID | KF1
  1|01|100
  2|02|200
  Dimension Table : Dim 1 ( Assumin that there are 2 characteristics in this dimension ) - here the DIM1ID is Key
  Dim1ID | SID1 | SID2
  1|20|25
  2|30|35
  Dimension Table Dim 2 - Here the Dim2ID field is key
  Dim2ID| SID1 | SID2| SID3
  01| 30| 45
  02|45|40
  Here the Dim IDs for the cube Fact table are generated at the time of load and this is generated from the NRIV Table ( read material on Number Ranges ) - this meanns that you cannot control DIM ID generation across cubes which means that you cannot reuse Dimension Tables

• Schema Design for Worklist Application - best practice?

  Hello,
  we are designing the Schema for a workflow application now. I'm wondering what kind of XML Schema would be best suited for the JSP generation of the Workflow Wizard.
  So far I've found out with some tests (please correct me if I'm wrong):
  - Only elements will be mapped to JSP fields, not attributes
  - If elements have single-letter name, the field label will be eliminated totally in JSP (bug?!)
  - For EVERY parent node, an HTML table is generated in the JSP containing all the simple nodes in the parent. If a parent node contains another parent node, both tables will be generated on the same level.
  And I haven't found any way to create drop-down list or checkbox/radiobuttons out of the XSD definition (enumeration as element type).
  I would really appreciate it if someone could share some experience in this area, many thanks in advance!
  regards
  ZHU Jia

  Hello,
  we are designing the Schema for a workflow application now. I'm wondering what kind of XML Schema would be best suited for the JSP generation of the Workflow Wizard.
  So far I've found out with some tests (please correct me if I'm wrong):
  - Only elements will be mapped to JSP fields, not attributes
  - If elements have single-letter name, the field label will be eliminated totally in JSP (bug?!)
  - For EVERY parent node, an HTML table is generated in the JSP containing all the simple nodes in the parent. If a parent node contains another parent node, both tables will be generated on the same level.
  And I haven't found any way to create drop-down list or checkbox/radiobuttons out of the XSD definition (enumeration as element type).
  I would really appreciate it if someone could share some experience in this area, many thanks in advance!
  regards
  ZHU Jia

• Practical universe schema design for ad hoc reporting in web intelligence

  Hello Folks,
  I am in the initial design phase of creating a universe out of normalized tables in oracle database. This current set of table are outside our data warehouse methodology and work flows. The new Universe will be used for ad hoc query by limited users. There are about 25-30 tables with employee data/attributes (mostly HR data). Since these tables are all dimensions with employee information on various subjects like education,address, training,*employee records* etc, what should be my join strategy with the existing table schema? where is concept of fact table?. Would you suggest any denormalizing/derived or materialized view to get the right end results. Or do you see any ETL process required before starting this task? My main concern is configuring joins between the tables and performance issue due to many joins in the current physical model. Additionally, i am concerned with employee records component in the structure, as each record of an employee may have multiple event history. How would you handle such a situation (maybe create a seperate context with the main factless fact Employee table??)
  I will appreciate your insight and approach to tackle the initial planning phase of this project.
  Thanks

  ...due to the fact that with ad-hoc reports, the links, joins, cardinalities etc may differ from report to report depending on what each individual report would require.
  Cardinalities are part of the data model, they should not change based on report requirements.
  As far as the rest, yes, designing a flexible universe can be challenging. You have the option to set up different join paths (called contexts) for different functional areas, but in some cases it just makes sense to build more than one universe on top of the same data structures.
  For an example, consider a very simple case where there is a relationship between an employee and the company motor pool (collection of company cars). The HR person wants to see all people even if they don't have cars assigned to them, so they would require an outer join from Employee to Car. The motor pool manager wants to see all cars, even those that are not currently assigned to a person, so they would require an outer join from Car to Employee. These two requirements are contradictory, and so cannot be designed into a single universe. That's not a problem, it's simply something that needs to be recognized and responded to. An HR person is not likely to care about when the next oil change is due, and the motor pool manager probably does not care about the hire date for a particular person.
  Web Intelligence makes an excellent ad hoc query engine, but it does require some investment in a proper universe structure.

• LDAP schemas

  I am researching how to use LDAP to manage accounts and automounts and wonder whether to use the nis.schema or is there a better way to manage network information services? Clients will be Solaris 9 and 10.
  Tia - any pointers appreciated

  http://web.singnet.com.sg/~garyttt
  http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20iPlanet%20Directory%20Server%20for%20Solaris9.htm
  Step 5: Configure �automount� to work with RedHat or Solaris Native LDAP Clients
  http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenSSH%20with%20pam_ldap%20for%20Solaris9.htm
  Gary

• LDAP schema InetOrgPerson with Address Book

  Hi all
  I've set up a LDAP server on my linux machine.
  I use the InetOrgPerson schema.
  The MacOS-X Address Book has no problems accessing the LDAP server however I cannot get it to display homePostalAddress .. in other words multiple address fields, a work address and a home address.
  Apple has some instructions on setting upp mappings etc for LDAP here;
  http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od31.html
  I have however not been successful trying to follow that instruction.
  I was hoping someone else has had success mapping all the fields.
  Anyway I would appreciate it if someone would care to give me a helping hand with this issue. I have searched this forum and seen posting that appear to be similar but not quite (as far as my english will get me). If I have missed a posting that specifically deals with this the please point me to it.
  Thanks

  I've decided to withdraw question - solution found elsewhere

• LDAP Schema from VDS

  We are using SAP VDS 7.2 SP8. Out of the Box Identity Service is deployed on VDS to expose LDAP Interface. When we connect to VDS LDAP Interface using standard LDAP client, we are not getting the schema information for the user attributes.
  Is any separate configuration needed at VDS level to get the user schema information?
  Any thoughts? Done heaps of googling, but nothing really comes up.
  cheers,
  Henrik

  Hi Henrik,
  I am experiencing the exact same issue.  Under server properties it appears you can select a method to create the rootDSE, there are a few delivered options but none of them appear to work.  I see entries in the operations log but nothing useful.
  VDS does function for authentication and browse but searching always fails.
  The help doc seems to suggest you should write a custom method, it would be great to know if you attempt this or have got any information from SAP that might suggest how to make the delivered classes to work?
  Thanks,
  Pete.