LDAP DSML Tutorial / Examples / Reference

Poster

Content

rip

nk4um User

Posts: 15

August 24, 2007 16:58dsml requests not needing a bind

Because the "user" argument is required, there
does not seem to be a way to use ldapBatch to
simply make an anonymous dsml request (an empty
request or public search).
There are other ways to do accomplish this but
it would be handy to be able to use your ldapBatch
interface for all possible ldap reqeusts.
Perhaps there is a way to override?

pjr

nk4um Moderator

Posts: 755

<div>An LDAP DSML Reference We''ve just released an LDAP library <a href="http://www.1060.org/forum/topic/82/1" target="_new">http://www.1060.org/forum/topic/82/1</a> for NetKernel it uses DSML to perform search, addition and modification of LDAP records. This is a brief tutorial on DSML syntax for reference. The OASIS DSML specification is available here <a href="http://www.oasis-open.org/specs/index.php#dsmlv2" target="_new">http://www.oasis-open.org/specs/index.php#dsmlv2</a> - it can look complicated at first, but when scripted with the ldapBatch accessor, provided in the mod-ldap library, it makes interacting with LDAP very easy. I wrote this guide as a simple DSML reference which provides examples of the primitive operations which may issued to an LDAP repository. Making a request DSML is a request response syntax - the main element for a DSML request is... <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;ds:batchRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" processing="sequential"&gt; &lt;!--
 Your LDAP operations here...
 --&gt;&lt;/ds:batchRequest&gt;</div></div></td></tr></table> The request is populated with a set of LDAP operation declarations. The "processing" option can be either "sequential" or "parallel" - take care since parallel means you must not make any assumptions about execution order. The response from a DSML Request is a DSML response document which will a response entry for each request operation. Any number of operations specified in a single DSML request and each will yield a resulting response with an indication of success status and any returned data - for example, a search operation will yield a list of LDAP entries as XML records. Add This operation will add a new record with distinguished name "dn" to the LDAP repository. <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;ds:addRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=Test,ou=1060Research,dc=1060,dc=org"&gt; &lt;ds:attr name="objectclass"&gt; &lt;ds:value&gt;top&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="objectclass"&gt; &lt;ds:value&gt;person&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="objectclass"&gt; &lt;ds:value&gt;organizationalPerson&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="objectclass"&gt; &lt;ds:value&gt;inetOrgPerson&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="cn"&gt; &lt;ds:value&gt;Test&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="sn"&gt; &lt;ds:value&gt;Test&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="givenName"&gt; &lt;ds:value&gt;Test&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;ds:attr name="title"&gt; &lt;ds:value&gt;A Test Addition&lt;/ds:value&gt; &lt;/ds:attr&gt; &lt;/ds:addRequest&gt;</div></div></td></tr></table> Contact your LDAP admin to find out which schema your LDAP server supports and to find a desription of the permitted fields that are supported. Here we are using the most common person and organizationalPerson schemas. Search This operation will search for records. Filter can contain substring matches - in this example a match for ''Smith'' is made on the ''sn'' field. All matching records (up to the sizeLimit" will be returned. See spec for scope and filter options - here were matching the wholeSubTree which is a broad search. <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;ds:searchRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="dc=1060,dc=org" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000"&gt; &lt;ds:filter&gt; &lt;ds:substrings name="sn"&gt; &lt;ds:any&gt;Smith&lt;/ds:any&gt; &lt;/ds:substrings&gt; &lt;/ds:filter&gt; &lt;/ds:searchRequest&gt;</div></div></td></tr></table> Modify This operation modifies an LDAP record. The modification tag specifies the field name to be modified and the new value to assign. <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;ds:modifyRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=Test,ou=1060Research,dc=1060,dc=org"&gt; &lt;ds:modification name="mail" operation="add"&gt; &lt;value&gt;test@1060.org&lt;/value&gt; &lt;/ds:modification&gt; &lt;ds:modification name="sn" operation="replace"&gt; &lt;value&gt;Smith&lt;/value&gt; &lt;/ds:modification&gt; &lt;ds:modification name="mail" operation="replace"&gt; &lt;value&gt;j.smith@1060.org&lt;/value&gt; &lt;/ds:modification&gt; &lt;ds:modification name="givenName" operation="replace"&gt; &lt;value&gt;smithy&lt;/value&gt; &lt;/ds:modification&gt; &lt;/ds:modifyRequest&gt;</div></div></td></tr></table> Modify DN The distinguished name (DN) is the primary key for an LDAP record. This operation allows the DN to be changed. <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;modDNRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=Test,ou=1060Research,dc=1060,dc=org" newrdn="cn=John Smith" deleteoldrdn="true" newSuperior="ou=1060research,dc=1060,dc=org" /&gt;</div></div></td></tr></table> Compare This operation allows simple assertions about an LDAP record to be made. <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;ds:compareRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=John Smith,ou=1060Research,dc=1060,dc=org"&gt; &lt;ds:assertion name="sn"&gt; &lt;ds:value&gt;Smith&lt;/ds:value&gt; &lt;/ds:assertion&gt; &lt;/ds:compareRequest&gt;</div></div></td></tr></table> Delete This operation deletes an LDAP record. <table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tr><td><div class="forum-xml"><div class="xmlverb-default">&lt;ds:delRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=John Smith,ou=1060Research,dc=1060,dc=org" /&gt;</div></div></td></tr></table> </div>

August 15, 2005 08:08LDAP DSML Tutorial / Examples / Reference

An LDAP DSML Reference

We''ve just released an LDAP library http://www.1060.org/forum/topic/82/1 for NetKernel it uses DSML to perform search, addition and modification of LDAP records. This is a brief tutorial on DSML syntax for reference.

The OASIS DSML specification is available here http://www.oasis-open.org/specs/index.php#dsmlv2 - it can look complicated at first, but when scripted with the ldapBatch accessor, provided in the mod-ldap library, it makes interacting with LDAP very easy.

I wrote this guide as a simple DSML reference which provides examples of the primitive operations which may issued to an LDAP repository.

Making a request

DSML is a request response syntax - the main element for a DSML request is...

<ds:batchRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" processing="sequential">
</ds:batchRequest>

The request is populated with a set of LDAP operation declarations. The "processing" option can be either "sequential" or "parallel" -
take care since parallel means you must not make any assumptions about execution order.

The response from a DSML Request is a DSML response document which will a response entry for each request operation. Any number of operations specified in a single DSML request and each will yield a resulting response with an indication of success status and any returned data - for example, a search operation will yield a list of LDAP entries as XML records.

Add

This operation will add a new record with distinguished name "dn" to the LDAP repository.

<ds:addRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=Test,ou=1060Research,dc=1060,dc=org">
<ds:attrname="objectclass">
<ds:value>top</ds:value>
</ds:attr>
<ds:attrname="objectclass">
<ds:value>person</ds:value>
</ds:attr>
<ds:attrname="objectclass">
<ds:value>organizationalPerson</ds:value>
</ds:attr>
<ds:attrname="objectclass">
<ds:value>inetOrgPerson</ds:value>
</ds:attr>
<ds:attrname="cn">
<ds:value>Test</ds:value>
</ds:attr>
<ds:attrname="sn">
<ds:value>Test</ds:value>
</ds:attr>
<ds:attrname="givenName">
<ds:value>Test</ds:value>
</ds:attr>
<ds:attrname="title">
<ds:value>A Test Addition</ds:value>
</ds:attr>
</ds:addRequest>

Contact your LDAP admin to find out which schema your LDAP server supports and to find a desription of the permitted fields that are supported. Here we are using the most common person and organizationalPerson schemas.

Search

This operation will search for records. Filter can contain substring matches - in this example a
match for ''Smith'' is made on the ''sn'' field. All matching records (up to the sizeLimit" will be
returned. See spec for scope and filter options - here were matching the wholeSubTree which is a broad search.

<ds:searchRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="dc=1060,dc=org" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000"> <ds:filter> <ds:substringsname="sn"> <ds:any>Smith</ds:any>
</ds:substrings>
</ds:filter>
</ds:searchRequest>

Modify

This operation modifies an LDAP record. The modification tag specifies the field name to
be modified and the new value to assign.

<ds:modifyRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=Test,ou=1060Research,dc=1060,dc=org">
<ds:modificationname="mail" operation="add">
<value>test@1060.org</value>
</ds:modification>
<ds:modificationname="sn" operation="replace">
<value>Smith</value>
</ds:modification>
<ds:modificationname="mail" operation="replace">
<value>j.smith@1060.org</value>
</ds:modification>
<ds:modificationname="givenName" operation="replace">
<value>smithy</value>
</ds:modification>
</ds:modifyRequest>

Modify DN

The distinguished name (DN) is the primary key for an LDAP record. This operation
allows the DN to be changed.

Compare

This operation allows simple assertions about an LDAP record to be made.

<ds:compareRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=John Smith,ou=1060Research,dc=1060,dc=org"> <ds:assertionname="sn"> <ds:value>Smith</ds:value>
</ds:assertion>
</ds:compareRequest>

Delete

This operation deletes an LDAP record.

<ds:delRequest xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" dn="cn=John Smith,ou=1060Research,dc=1060,dc=org" />