Regular Expression based attributes in LDAP

One of the question that I get frequently asked when discussing with customers or coworkers about defining custom schema and attributes, is how to restrict the values that can be set to an attribute. From a pure LDAP standard point of view, you would need to define a new syntax and describe the valid values. Then you would need to check with the directory server’s vendor or discuss with the open source developers to get the syntax implemented in the server, either in the core product, or as a plug-in extension. In the end, the easy choice goes to use a standard syntax (like DirectoryString) and let all client applications validate the values.

In OpenDS, we’ve choose another option. We have added support for regular expression based syntaxes, and implemented this as a syntax definition extension.

So in order to define, for example, an attribute whose values must be in the form of host:port, you simply need to define a new syntax for it with the regular expression pattern and load it in the server’s schema:

$ bin/ldapmodify -D cn=directory\ manager -p 1389

Password for user ‘cn=directory manager’:

dn: cn=schema

changetype: modify

add: ldapsyntaxes

ldapSyntaxes: ( 1.3.6.1.4.1.32473.1

DESC ‘Host and Port in the format of HOST:PORT’

X-PATTERN ‘^[a-zA-Z][.a-zA-Z0-9-]+:[0-9]+$’ )

Processing MODIFY request for cn=schema

MODIFY operation successful for DN cn=schema

^D

And then you can make use of the newly defined syntax in attributes.

$ bin/ldapmodify -D cn=directory\ manager -p 1389

Password for user ‘cn=directory manager’:

dn: cn=schema

changetype: modify

add: attributetypes

attributetypes: ( 1.3.6.1.4.1.32473.2 NAME ‘test-attr-regex’ SYNTAX 1.3.6.1.4.1.32473.1 )



add: objectclasses

objectclasses: ( 1.3.6.1.4.1.32473.3 NAME ‘testOCregex’ SUP top AUXILIARY MUST test-attr-regex)

Processing MODIFY request for cn=schema

MODIFY operation successful for DN cn=schema

^D

Let’s create a test entry

$ bin/ldapmodify -D cn=directory\ manager -p 1389

Password for user ‘cn=directory manager’:

dn: cn=TestEntry,dc=example,dc=com

changetype: add

sn: TestEntry

cn: TestEntry

objectclass: Person

Processing ADD request for cn=TestEntry,dc=example,dc=com

ADD operation successful for DN cn=TestEntry,dc=example,dc=com

^D

And now make use of this new attribute and objectclass:

$ bin/ldapmodify -D cn=directory\ manager -p 1389

Password for user ‘cn=directory manager’:

dn: cn=TestEntry,dc=example,dc=com

changetype: modify

add: objectclass

objectclass: testOCregex



add: test-attr-regex

test-attr-regex: localhost:1389

Processing MODIFY request for cn=TestEntry,dc=example,dc=com

MODIFY operation successful for DN cn=TestEntry,dc=example,dc=com

^D

$ bin/ldapmodify -D cn=directory\ manager -p 1389

Password for user ‘cn=directory manager’:

dn: cn=testentry,dc=example,dc=com

changetype: modify

replace: test-attr-regex

test-attr-regex: foobar.com

Processing MODIFY request for cn=testentry,dc=example,dc=com

MODIFY operation failed

Result Code: 21 (Invalid Attribute Syntax)

Additional Information: When attempting to modify entry cn=testentry,dc=example,dc=com to replace the set of values for attribute test-attr-regex, value "foobar.com" was found to be invalid according to the associated syntax: The provided value "foobar.com" cannot be parsed as a valid regex syntax because it does not match the pattern "^[a-zA-Z][.a-zA-Z0-9-]+:[0-9]+$"

It’s simple and efficient. But wait there’s more to come, tomorrow.

Technorati Tags: , , , ,

One thought on “Regular Expression based attributes in LDAP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s