PingDirectory

Creating user-defined virtual attributes

User-defined virtual attributes allow you to specify an explicit value to use for the virtual attribute.

There are no restrictions on the length of the value for a user-defined virtual attribute. You must only ensure that the new virtual attribute conforms to your schema, or you will see an error message when you configure it.

You can define your virtual attributes using the dsconfig tool from the Standard object menu. Only the value property is specific to the user-defined virtual attribute. All the other properties are common across all kinds of virtual attributes, which include the following.

Property Description

enabled

Indicates whether the virtual attribute should be used.

attribute-type

The attribute type for the virtual attribute that is generated.

base-dn

group-dn

filter

Can be used to select which entries are eligible to contain the virtual attribute.

client-connection-policy

Can be used to select which entries are eligible to contain the virtual attribute.

conflict-behavior

Used to indicate how the server should behave if there are one or more real values for the same attribute type in the same entry.

The server can either return only the real values, only the virtual values, or merge both real and virtual values.

require-explicit-request-by-name

Used to indicate whether the server should only generate values for the virtual attribute if it was included in the list of requested attributes.

multiple-virtual-attribute-evaluation-order-index

multiple-virtual-attribute-merge-behavior

Used to control the behavior of the server if multiple virtual attributes can be used to contribute values to the same attribute.

Creating a user-defined virtual attribute in interactive mode

About this task

The following example shows how to create a user-defined virtual attribute that assigns an Employee Password Policy to any entry that matches the filter "(employeeType=employee)".

Steps

  1. To configure the user-defined virtual attribute:

    1. Run dsconfig.

    2. Specify the connection port, bind DN, password, and host information.

    3. Type the LDAP connection parameter for your PingDirectory server:

      • For LDAP, enter 1.

      • For SSL, enter 2.

      • For StartTLS, enter 3.

  2. To change the object menu, in the PingDirectory server main menu, type o, and then type the number to select Standard.

  3. In the PingDirectory server main menu, type the number corresponding to virtual attributes.

  4. To create a new virtual attribute, in the Virtual Attribute management menu, type the number.

  5. Use an existing virtual attribute as a template for your new attribute, or create a new attribute from scratch.

    In this example, type n to create a new Virtual Attribute from scratch.

  6. In the Virtual Attribute Type menu, enter a number corresponding to the type of virtual attribute that you want to create.

    In this example, type the number corresponding to User Defined Virtual Attribute.

  7. Enter a name for the new virtual attribute.

    In this example, enter Employee Password Policy Assignment.

  8. In the Enabled Property menu, enter the number to set the property to TRUE (enable).

  9. In the Attribute-Type Property menu, type the attribute-type property for the new virtual attribute.

    You can enter the OID number or attribute name. The attribute-type property must conform to your schema. For this example, type ds-pwp-password-policy-dn.

  10. Enter the value for the virtual attribute, and then press Enter or Return to continue.

    In this example, enter cn=Employee Password Policy,cn=Password Policies,cn=config, and then type Enter or Return to continue.

  11. In the User Defined Virtual Attributes menu, enter a description for the virtual attribute.

    Though optional, this step is useful if you plan to create multiple virtual attributes. Enter the option to change the value, and then type a description of the virtual attribute. In this example, type Virtual attribute that assigns the Employee Password Policy to all entries that match (employeeType=employee).

  12. In the User Defined Virtual Attribute menu, type the number corresponding to the filter.

  13. In the Filter Property menu, enter the option to add one or more filter properties, type the filter, and then press Enter to continue.

    In this example, type (employeeType=employee). Press the number to use the filter value entered.

  14. In the User Defined Virtual Attribute menu, type f to finish creating the virtual attribute.

  15. Verify that the attribute was created successfully.

    1. Add the employeeType=employee attribute to an entry, such as uid=user.0, using ldapmodify.

    2. Add the employeeType=contractor attribute to another entry, such as uid=user.1.

  16. To search for the user with the employeeType=employee attribute, such as uid=user.0, use ldapsearch.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" \
      ds-pwp-password-policy-dn

    Result:

    The ds-pwp-password-policy-dn attribute has the assigned password policy as its value.

    dn: uid=user.0,ou=People,dc=example,dc=com
    ds-pwp-password-policy-dn: cn=Employee Password Policy,cn=Password Policies,cn=config
  17. Run ldapsearch again using the filter (uid=user.1).

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.1)" \
      ds-pwp-password-policy-dn

    Result:

    The ds-pwp-password-policy-dn attribute is not present in the entry because the entry has the attribute employeeType=contractor.

    dn: uid=user.1,ou=People,dc=example,dc=com

Creating a user-defined virtual attribute using dsconfig in non-interactive mode

About this task

You can create a virtual attribute in non-interactive command-line mode using dsconfig.

Steps

  • To set up the Employee Password Policy Assignment virtual attribute introduced in the previous section, run the following command.

    Example:

    $ bin/dsconfig create-virtual-attribute \
      --name "Employee Password Policy Assignment" \
      --type user-defined \
      --set enabled:true \
      --set attribute-type:ds-pwp-password-policy-dn \
      --set "filter:(employeeType=employee)" \
      --set "value:cn=Employee Password Policy,cn=Password Policies,cn=config"