Oracle® Identity Management Application Developer's Guide
10g Release 2 (10.1.2) B14087-02 |
|
Previous |
Next |
This appendix contains the following sections:
Directory services form a core part of distributed computing. XML is becoming the standard markup language for Internet applications. As directory services are brought to the Internet, there is a pressing and urgent need to express the directory information as XML data. This caters to the growing breed of applications that are not LDAP-aware yet require information exchange with a LDAP directory server.
Directory Services Mark-up Language (DSML) defines the XML representation of LDAP information and operations. The LDAP Data Interchange Format (LDIF) is used to convey directory information, or a set of changes to be applied to directory entries. The former is called Attribute Value Record and the latter is called Change Record.
Using DSML with Oracle Internet Directory and Internet applications makes it easier to flexibly integrate data from disparate sources. Also, DSML enables applications that do not use LDAP to communicate with LDAP-based applications, easily operating on data generated by an Oracle Internet Directory client tool or accessing the directory through a firewall.
DSML is based on XML, which is optimized for delivery over the Web. Structured data in XML will be uniform and independent of application or vendors, thus making possible numerous new flat file type synchronization connectors. Once in XML format, the directory data can be made available in the middle tier and have more meaningful searches performed on it.
A DSML version 1 document describes either directory entries, a directory schema or both. Each directory entry has a unique name called a distinguished name (DN). A directory entry has a number of property-value pairs called directory attributes. Every directory entry is a member of a number of object classes. An entry's object classes constrain the directory attributes the entry can take. Such constraints are described in a directory schema, which may be included in the same DSML document or may be in a separate document.
The following subsections briefly explain the top-level structure of DSML and how to represent the directory and schema entries.
The top-level document element of DSML is of the type dsml
, which may have child elements of the following types:
directory-entries directory-schema
The child element directory-entries may in turn have child elements of the type entry. Similarly the child element directory-schema may in turn have child elements of the types class and attribute-type.
At the top level, the structure of a DSML document looks like this:
<!- a document with directory & schema entries --> <dsml:directory-entries> <dsml:entry dn="...">...</dsml:entry> . . . </dsml:directory-entries> . . . <dsml:directory-schema> <dsml:class id="..." ...>...</dsml:class> <dsml:attribute-type id="..." ...>...</dsml:attribute-type> . . . </dsml:directory-schema></dsml:dsml>
The element type entry
represents a directory entry in a DSML document. The entry
element contains elements representing the entry's directory attributes. The distinguished name of the entry is indicated by the XML attribute dn
.
Here is an XML entry to describe the directory entry:
<dsml:entry dn="uid=Heman, c=in, dc=oracle, dc=com"> <dsml:objectclass> <dsml:oc-value>top</dsml:oc-value> <dsml:oc-value ref="#person">person</dsml:oc-value> <dsml:oc-value>organizationalPerson</dsml:oc-value> <dsml:oc-value>inetOrgPerson</dsml:oc-value> </dsml:objectclass> <dsml:attr name="sn"> <dsml:value>Siva</dsml:value></dsml:attr> <dsml:attr name="uid"> <dsml:value>Heman</dsml:value></dsml:attr> <dsml:attr name="mail"> <dsml:attr name="givenname"> <dsml:value>Siva V. Kumar</dsml:value></dsml:attr> <dsml:attr name="cn"> <dsml:value>SVK@oracle.com</dsml:value></dsml:attr> <dsml:value>Siva Kumar</dsml:value></dsml:attr>
The oc-value's ref
is a URI Reference to a class element that defines the object class. In this case it is a URI [9] Reference to the element that defines the person
object class. The child elements objectclass
and attr
are used to specify the object classes and the attributes of a directory entry.
The element type class
represents a schema entry in a DSML document. The class
element takes an XML attribute id
to make referencing easier.
For example, the object class definition for the person
object class might look like the following:
<dsml:class id="person" superior="#top" type="structural"> <dsml:name>person</dsml:name> <dsml:description>...</dsml:description> <dsml:object-identifier>2.5.6.6</object-identifier> <dsml:attribute ref="#sn" required="true"/> <dsml:attribute ref="#cn" required="true"/> <dsml:attribute ref="#userPassword" required="false"/> <dsml:attribute ref="#telephoneNumber" required="false"/> <dsml:attribute ref="#seeAlso" required="false"/> <dsml:attribute ref="#description" required="false"/> </dsml:class>
The directory attributes are described in a similar way. For example, the attribute definition for the cn
attribute may look like this:
<dsml:attribute-type id="cn"> <dsml:name>cn</dsml:name> <dsml:description>...</dsml:description> <dsml:object-identifier>2.5.4.3</object-identifier> <dsml:syntax>1.3.6.1.4.1.1466.115.121.1.44</dsml:syntax> </dsml:attribute-type>
With the XML framework, you can now use non-ldap applications to access directory data. The XML framework broadly defines the access points and provides the following tools:
ldapadd
ldapaddmt
ldapsearch
See Also: "Oracle Internet Directory Server Administration Tools" in Oracle Identity Management User Reference for information about syntax and usage. |
The client tool ldifwrite
generates directory data and schema LDIF files. If you convert these LDIF files to XML, you can store the XML file on an application server and query it. The query and response time is small compared to performing an LDAP operation against an LDAP server.