PingDirectory

Configuring JSON attribute constraints

The PingDirectory server can define several constraints for the fields included in JSON objects stored in values of a specified attribute type.

Defining constraints on JSON object fields allows administrators to set requirements on what values a JSON field can take to ensure consistency across entries.

Constraints that can be placed on a JSON field include:

  • Requiring values of the field to have a specified data type.

  • Indicating whether the field is required or optional.

  • Indicating whether the field can have multiple values in an array. If a field is permitted to have array values, restrictions can also be placed on the number of elements that can be present in the array.

  • Indicating whether the field can have a value that is the null primitive as an alternative to values of the indicated data type.

  • Restricting values of string fields to a predefined set of values that match a given regular expression or to a length specified by the user.

  • Restricting values of numeric fields with upper and lower bounds.

Only new entries are subject to the new constraints. Existing data that doesn’t match newly-defined JSON constraints can still be decoded and managed by the server. Attempts to alter existing entries with non-compliant JSON objects might require fixing those objects to conform to the new constraints.

The global configuration properties that define schema constraints for JSON objects are create-json-attribute-constraints and create-json-field-constraints in dsconfig. In dsconfig interactive, under advanced settings, the menu options are JSON Attribute Constraints and JSON Field Constraints.

Configuration properties for each include:

attribute-type

The name or object identifier of the attribute type with which the definition is associated. This attribute type must have the JSON object syntax. attribute-type is the naming attribute for the configuration entry.

allow-unnamed-fields

A Boolean value that indicates whether JSON objects, used as the values of attributes of the associated type, can include fields that are not referenced in the attribute-value-constraints object. The default value is true.

If allow-unnamed-fields is true JSON objects can have fields that are not referenced, and no constraints are imposed on those fields. If allow-unnamed-fields isfalse, JSON objects can only have the defined fields.

Unless a schema definition is configured with allow-unnamed-fields set to false, only information about fields whose values should be indexed or tokenized is required. To ensure that clients cannot store invalid values, you should define any other expected fields. .

As with the standard LDAP schema, JSON schema constraints are enforced for any changes made after the constraints are defined. If there are already JSON values in the data before a JSON schema is defined for that attribute type, or before changes are made, values that already exist might violate those constraints. JSON schema constraints are also enforced for data provided in an LDIF import, and entries containing JSON objects that violate these constraints are rejected.

JSON Field Constraints
Property Description

field

Specifies the path to the target field as a string with periods to separate levels of hierarchy.

If any field name in the hierarchy includes a period, then that period must be escaped with a backslash.

value-type

Specifies the expected data type for the target field.

The available values are:

any

The target field can have any value.

boolean

The target field must have a value of true or false.

integer

The target field must have a number that can be exactly represented as an integer.

null

The target field must have a value of null.

number

The target field must have a value that represents a valid JSON number.

object

The target field must have a value that represents a valid JSON object. The allowed-fields array can contain additional elements that define constraints for the fields.

string

The target field must have a value that represents a valid JSON string.

is-required

Specifies whether the target field is required to be present.

If the target field is present, its value must be either true or false. If it is absent, a default of false is assumed.

is-array

Indicates whether the target field can be an array.

If the value can be an array, all of the elements of the array must be of the type specified in the value-type field. The field constraint can be present with a value of one of the single strings listed below. If the constraint is absent, a value of prohibited is assumed.

Values are:

required

The target field must be an array with zero or more values of the specified type and must not be a single value of the specified type.

optional

The target field can be an array with zero or more values of the specified type, or it can be a single value of the specified type.

prohibited

The target field must not be an array and can only be a single value of the specified type.

allow-null-value

Specifies whether the target field can have a value of null as an alternative to the specified value-type.

If the field constraint is present, allows-null-value's value must be either true or false. If the constraint is absent, a default of false is assumed. allow-null-value has no effect if the value-type is null.

allow-empty-object

Specifies whether empty objects are permitted if the value of the target field is a JSON object or an array of JSON objects.

If the field constraint is present, the value must be either true, where the object can have zero or more fields, or false, where the object can have one or more fields. If the constraint is absent, a default of false is assumed.

index-values

Specifies whether values of the target field should be indexed in backends.

If the field constraint is present, the value must be either true (the field should be indexed) or false (the field should not be indexed). If the constraint is absent, a default of false is assumed. If true, the value-type must be boolean, integer, null, or string.

index-entry-limit

Specifies the maximum number of entries in which a particular value can appear before the entry ID list for that value is no longer maintained.

If the field constraint is present, the value must be an integer greater than or equal to 1. If the constraint is absent, the server uses the default index entry limit for the associated backend. This is only applicable if index-values is true.

prime-index

Specifies whether backends should prime the contents of the JSON index database into memory when they are opened.

This is ignored if the backend’s prime-all-indexes property has a value of true.

cache-mode

Specifies the cache mode to use for the contents of the JSON index database.

If the value is not specified, the backend’s default cache mode is used. If a cache mode of cache-keys-only is configured, priming only loads the internal nodes into memory for the index. If no-caching is configured, no priming is performed for the index.

tokenize-values

Specifies whether values of the target field should be tokenized in backends.

If the field constraint is present, the value is either true (field values should be tokenized) or false (field values should not be tokenized). If the constraint is absent, a value of false is assumed. If true, the value-type must be string.

allowed-values

Specifies an explicit set of values allowed in the target field .

If the field constraint is present, the value must be an array of strings. Any attempt to use a value not in this array for the associated field is rejected. allowed-values can only be used with a value-type of string. If the constraint is absent, any value can be used as long as it satisfies all other defined constraints.

allowed-value-regular-expression

Specifies a regular expression that the target field must match

If the field constraint is present, the value must be a single string or an array of strings representing valid regular expressions (which might require escaping to represent in JSON). Any attempt to use a value that does not match one of the provided regular expressions is rejected. allowed-value-regular-expression can only be used with a value-type of string. If the constraint is absent, values are not required to match any regular expression.

minimum-numeric-value

Specifies the lower bound for values of the target field

If the field constraint is present, the value must be a single number and can be an integer. Any attempt to use a value that is less than this number is rejected. minimum-numeric-value can only be used with a value-type of integer or number. If the constraint is absent, no minimum numeric value applies.

maximum-numeric-value

Specifies the upper bound for values of the target field

If the field constraint is present, the value must be a single number and can be an integer. Any attempt to use a value that is greater than this number is rejected. maximum-numeric-value can only be used with a value-type of integer or number. If the constraint is absent, no maximum numeric value applies.

minimum-value-length

Specifies the minimum number of characters allowed for values of the target field

If the field constraint is present, the value must be an integer. Any attempt to use a value with fewer characters than this number is rejected. minimum-value-length can only be used with a value-type of string. If the constraint is absent, no minimum length applies.

maximum-value-length

Specifies the maximum number of characters allowed for values of the target field

If the field constraint is present, the value must be an integer. Any attempt to use a value with more characters than this number is rejected. maximum-value-length can only be used with a value-type of string. If the constraint is absent, no maximum length applies.

minimum-value-count

Specifies the minimum number of elements that must be present in an array

If the field constraint is present, the value must be an integer. Any attempt to use an array with fewer elements is rejected. minimum-value-count can only be used with an is-array value of required or optional. If the constraint is absent, no minimum array value count applies.

maximum-value-count

Specifies the maximum number of elements that must be present in an array

If the field constraint is present, the value must be an integer. Any attempt to use an array with more elements is rejected. maximum-value-count can only be used with an is-array value of required or optional. If the constraint is absent, no maximum array value count applies.

When writing JSON objects in a local database backend, field names and JSON primitive values of null, true, and false are always tokenized. Integers are either tokenized or compacted using their two’s complement representation. Other numbers are stored using string representations. Array and object sizes are compacted, and their contents are compacted based on their data types.

String values are tokenized and match a recognizable format, including:

  • Dates and times in common generalized time and ISO 8601 formats

  • UUIDs in which the alphabetic characters are either all uppercase or all lowercase

  • Strings of at least 12 bytes that are a valid base64 encoding

  • Strings of at least 6 bytes that are a valid hexadecimal encoding, in which the alphabetic characters are either all uppercase or all lowercase

Adding constraints to JSON attributes

About this task

To create and configure JSON attribute constraints:

Steps

  • Run dsconfig with the create-json-attribute-constraints option.

    Example:

    In this example, a JSON attribute constraint is defined on the appjson attribute type. This constrains values of the appjson attribute to be JSON objects. Because allow-unnamed-fields is set to false, those JSON objects can only have fields for which there is a corresponding JSON field constraints definition.

    appjson is meant to be replaced by the name of the user’s desired attribute type, as defined in the directory schema. For more information, see About managing JSON attribute values.

    $ bin/dsconfig create-json-attribute-constraints \
      --attribute-type appjson \
      --set enabled:true \
      --set allow-unnamed-fields:false

    Example:

    In this example, a JSON field constraint object is defined for the email.verified field. The email.verified field must be present and must take a boolean value.

    $ bin/dsconfig create-json-field-constraints \
      --attribute-type appjson \
      --json-field email.verified \
      --set value-type:boolean \
      --set is-required:true \
      --set index-values:false \
      --set tokenize-values:false \
      --set allow-null-value:true

    Example:

    In this example, a JSON field constraint object is defined for the email.type field. The email.type field must be present and must take a value of home, work, or other.

    $ bin/dsconfig create-json-field-constraints \
      --attribute-type appjson \
      --json-field email.type \
      --set value-type:string \
      --set is-required:true \
      --set index-values:false \
      --set tokenize-values:true \
      --set allowed-value:home \
      --set allowed-value:other \
      --set allowed-value:work \
      --set allow-null-value:false

    Example:

    In this example, a JSON field constraint is defined for the email.value field. The email.value field must be present and must take a string value that matches the specified regular expression.

    $ bin/dsconfig create-json-field-constraints \
      --attribute-type appjson \
      --json-field email.value \
      --set value-type:string \
      --set is-required:true \
      --set index-values:true \
      --set tokenize-values:false \
      --set prime-index:true \
      --set allow-null-value:true \
      --set maximum-value-length:256 \
      --set minimum-value-length:1 \
      --set allowed-value-regular-expression:[-_\+\.\w\d]+@\w+\.\w{2,5}