When an RDN has multiple attributes, can I control the order in which they are returned?

Document ID : KB000054210
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

With CA Directory r12.0SP1, it is possible to control the order in which the multiple RDN attributes are returned. e.g. If an entry has the RDN of "serialNumber=0000001+cn=Craig Link", you can configure the directory to always return the serialNumber first and then the commonName.

Solution:

The Problem:

In the past, CA Directory used an Ingres RDBMS database for storing and retrieving attribute values. Ingres would return the values to the directory in a particular order. This would mean that for a given LDIF load, no matter what updates had been made, the order of the distinguished attributes as they related to the RDN would appear in the same order. Note that this order couldn't be defined by the customer. The point, however, is that the return order would be consistent.

With the introduction of r12.0SP1, CA Directory uses a proprietary datastore backend which is referred to as DXgrid. With r12.0SP1, the order of the attributes is dependent on where they happened to be found in the DXgrid .db file. This can cause issues for applications that don't adhere to RFC standards and rely on a particular order.

The Solution:

CA Directory r12.0SP1 has been modified to allow an ordering of attribute values, so that they can be returned in a specific order if they are listed in the entries RDN. The order in which they appear in the DXgrid .at file (associated with the DSA's datastore) will control which attribute is displayed first in the RDN. This means that the order will now be undefined but at least consistent.

To Define The Order:
Please Note: For all commands listed below, please run them as user "dsa" on Unix/Linux.

A way of defining the order of the attribute values in the RDN is to 'handcraft' the .at file and do a frontend (i.e. ldapadd) load. To do this:

  1. Take an empty datastore and add an entry via the front end that contains all the attributes you wish to define an order for.

  2. Stop the DSA using the command "dxserver stop {dsaName}"

  3. Open the '.at' file for the relevant datastore and rearrange the attributes in the order as you see fit. Save the file after the edit.
    Make sure to leave the first 6 attributes alone as they are hardwired in the DSA.

    Please Note: If the '.at' file is already laid out in the order that you require, please close the file and then skip steps 4, 5 and 6 below.

  4. Copy the '{dsaName}.at' file to a backup filename ending with the file extension of '{dsaName}.at_'.

  5. Run the command 'dxemptydb {dsaName}' to empty the database.

  6. Copy the file '{dsaName}.at_' over the new '{dsaName}.at' file.

  7. Load your LDIF data using either 'dxmodify' or 'ldapadd'. It's important to load the data using these tools, and NOT DXloaddb.

  8. Copy the resulting datastore '{dsaName}.db/{dsaName}.at/{dsaName}.oc' files to any other replica/peer servers that exist for the namespace.

  9. Start the DSA using the command "dxserver start {dsaName}"

Example:
Please Note: For all commands listed in this example, please run them as user "dsa" on Unix/Linux.

If you wanted your RDN to always be returned as "sn=value + cn=value"

  1. Create a new DSA (democorp) using the following command:
    dxnewdsa -s 200 democorp 19389 o=democorp,c=au

    NOTE: If you already have a DSA you can stop the DSA and run "dxemptydb dsaname" and restart the DSA

  2. Apply the following LDIF file to the democorp DSA via a frontend tool (eg DXmodify)
    dxmodify -a -h HOSTNAME - p 19389 -f democorp.ldif

    Contents of democorp.ldif
    ====================================================================
    dn: o=DEMOCORP,c=AU
    objectClass: organization

    dn: ou=Support,o=DEMOCORP,c=AU
    objectClass: organizationalUnit

    dn: ou=Various,ou=Support,o=DEMOCORP,c=AU
    objectClass: organizationalUnit

    dn: cn=Tod WILCOX+sn=WILCOX,ou=Various,ou=Support,o=DEMOCORP,c=AU
    objectClass: inetOrgPerson
    cn: Tod WILCOX
    sn: WILCOX
    title: Financial Statistician
    telephoneNumber: 918 8789
    description: State Support
    mail: Tod.WILCOX@DEMOCORP.com
    postalAddress: 958 View Tech Rd$Lindisfarne TAS
    postalCode: 7015
    ====================================================================

  3. Stop the DSA
    % dxserver stop democorp

  4. Edit the DXHOME/data/democorp.at file by re-arranging the order of the attributes defined in your RDN

    2.5.4.3 # cn
    2.5.4.4 # sn

    should be re-arranged to

    2.5.4.4 # sn
    2.5.4.3 # cn

    NOTE: Do NOT change the order of the first 6 attributes in the .at file as the order for these attributes is hardwired in the DSA.

  5. Copy DXHOME/data/democorp.at to DXHOME/data/democorp.at_

  6. Run the following command to empty the democorp datastore
    dxemptydb democorp

  7. Copy DXHOME/data/democorp.at_ to DXHOME/data/democorp.at

  8. Start your DSA
    dxserver start democorp

  9. Load your data via front-end
    dxmodify -a -h HOSTNAME - p 19389 -f democorp.ldif

  10. Run dxsearch to see that you get the correct order in the RDN
    dxsearch -h HOSTNAME - p 19389 -b o=democorp,c=au -s sub "(sn=WILCOX)"

    dn: sn=WILCOX+cn=Tod WILCOX,ou=Various,ou=Support,o=democorp,c=au
    cn: Tod WILCOX
    sn: WILCOX
    objectClass: inetOrgPerson
    title: Financial Statistician
    telephoneNumber: 918 8789
    description: State Support
    mail: Tod.WILCOX@DEMOCORP.com
    postalAddress: 958 View Tech Rd$Lindisfarne TAS
    postalCode: 7015