jspωiki
Forward Reference

Overview#

Forward Reference depends on context

eDirectory#

LDIF File#

In an LDIF file, the record to add an entry can come before the record to add its parent container. In eDirectory which guarantees Referential Integrity, this situation generates an error because the entry's parent does not exist. The -F option for the LDAP destination handler solves this problem. It enables the creation of a forward reference for the parent container. When the record to create the parent is processed, the forward reference is replaced with a normal entry.

It is possible, that after the entire LDIF file is processed, that a few Forward References will remain because the LDIF file did not contain records to add them. Such forward references remain in the directory as ObjectClass=unknown objects, and the entries below them remain and function as normal entries. You can either add these remaining forward references as entries or move the subordinate entries to another container.

To identify the unknown objects in your directory, you can:

  • Use ConsoleOne or Imanager where unknown objects are represented by a round yellow icon with a question mark in the center.
  • Use an LDAP search with the search filter set to ObjectClass=unknown.
Both of these methods display all entries that have an ObjectClass=unknown, not just the entries that are Forward Reference. From these entries, you need to select the entries to add.

When eDirectory processes an Add Request for an ObjectClass=unknown that already exists as a Forward Reference, eDirectory transforms the existing Forward Reference entry into a normal entry.

When eDirectory processes an Add Request for an ObjectClass=unknown that isn't a Forward Reference, eDirectory returns an LDAP Result Code of LDAP_ALREADY_EXISTS

Microsoft Active Directory#

A Forward Reference is a practice, used with Microsoft Active Directory, in which an object's group memberships are listed as the values of an attribute (the Member Attribute) of the Group object.

The MemberOf attribute (and each of its values) is a Virtual Attribute or as Microsoft sometimes refers to it as a "back-link"

We have also seen Microsoft use the term Forward Reference used but as far as we know, both these terms are the same as Virtual Attribute

For example, an attribute named memberOf or groupMembership might be used to list the groups of which the object is a member.

Typically, a forward reference identifies actual group objects to which the member object belongs. The group objects themselves may be static or dynamic.

Not limited to Group#

It should be noted that a Forward Reference could also be used merely to tag members of groups without there being a corresponding group object. Such tags might also be used to associate an object with other types of objects such as roles or other relationships.

More Information#

There might be more information for this subject on one of the following: