Overview#

This is a Reference to Oddities in OID#

This is very subjective and is meant only to point out some potential gothas of OID form our point-of-view. As we have worked with several LDAP servers implementations, all LDAP servers have their Oddities form our point-of-view and we have yet to find the "perfect" LDAP server.

Further their are some situations when we hate the oddity and then there are some situations when we wish we did have the oddity.

Parsing Error#

When the IDM driver loads (I aslo saw this with some other Java ASN.1 based parsers) errors are shown due to, apparently parenthesis or apostrophies appearing in the "description" of the schema item.

Mismatched parenthesis in objectclass definition: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the service's canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) )

Mismatched parenthesis in objectclass definition: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocol's canonical name' MUST ( cn $ ipProtocolNumber ) MAY ( description ) )

Mismatched parenthesis in objectclass definition: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC service's canonical name' MUST ( cn $ oncRpcNumber $ description ) MAY ( description ) )

Mismatched parenthesis in objectclass definition: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the host's canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager $ userPassword ) )

Mismatched parenthesis in objectclass definition: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the network's canonical name' MUST ( ipNetworkNumber ) MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )

Mismatched parenthesis in attributeType definition: ( 2.16.840.1.113894.5.1.1069 NAME 'orclMailFolderGroupDN' DESC 'Stores the DN of the Folder's group' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

Mismatched parenthesis in attributeType definition: ( 2.16.840.1.113894.5.101.1.1063 NAME 'orclUMCTGroupConfig' DESC 'Configuration name defined in the Media Service's Application Profile' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

OID Changelog#

No lastChangeNumber Provided#

OID does not provide the lastChangeNumber in the servers rootDSE. (As is done by Netscape, Redhat and some others)

This causes the driver, on startup to have to perform a search and retrieve all changlog entries in the changelog to find the lastChangeNumber. So, the user the driver is using to login to OID must NOT be limited by a server side search result limit; or the driver will ALWAYS have to run all changes in the changelog.

When IDM starts up, it first checks for lastChangeNumber in the OID servers rootDSE. As it is not there, it then must retrieve all entries in the change log and find the last (ie greatest) changenumber.

Once the driver knows where to start it then queries with some thing like filter=(&(changenumber>=4426)(changenumber<=5425)) (We set the driver to retrieve only 1000 changes in each poll)

How to get the Changelog#

This will retrieve the changelog:

C:\novell\ndk\edirsdk\cldap\Win32\tools\ldapsearch -h 151.132.97.73:389 -D cn=orcladmin -w pwd -b "cn=changelog" -s one "(changetype=modrdn)"

However the entries look like:

# 4530,changelog
dn: Changenumber=4530, cn=changelog
changes:: bmV3cmRuOmNuPXRtb3ZlamJ0ZXN0CmRlbGV0ZW9sZHJkbjo0Mjk0OTY3Mjk1CgA=
modifiersname: cn=idm,cn=users,dc=co,dc=somewhere,dc=oh,dc=us
orclchangeretrycount: 0
changenumber: 4530
orclparentguid:: IA==
orclguid: 0E5738AAE7505F2DE0440003BA9CDB1D
servername: oiddev1_oid1
operationtime: 20060309142203z
changetype: modrdn
targetdn: cn=tmovejbtest,ou=ia,ou=pbcusers,cn=users,dc=co,dc=somewhere,dc=oh,dc=us
objectclass: top
objectclass: changelog

Base64 Decode looks like:
cn=tmovejbtest,ou=ia,ou=pbcusers,cn=users,dc=co,dc=somewhere,dc=oh,dc=us                           
modrdn                                                                                              
newrdn:cn=tmovejbtest                                                                               
deleteoldrdn:4294967295                                                                             


# 4534,changelog
dn: Changenumber=4534, cn=changelog
changes:: bmV3cmRuOmNuPU1vdmVQZXJzb24KZGVsZXRlb2xkcmRuOjQyOTQ5NjcyOTUKbmV3U3Vw
 RE46b3U9VGVzdFVuaXRUbyxjbj1Vc2VycyxkYz1jbyxkYz1wYWxtLWJlYWNoLGRjPWZsLGRjPXVzC
 gA=
modifiersname: cn=orcladmin
orclchangeretrycount: 0
changenumber: 4534
orclparentguid: 0E9090393BA93654E0440003BA9CDB1D
orclguid: 0E9090393BAA3654E0440003BA9CDB1D
servername: oiddev1_oid1
operationtime: 20060309150306z
changetype: moddn
targetdn: cn=MovePerson,ou=TestUnit,cn=Users,dc=co,dc=somewhere,dc=oh,dc=us
objectclass: top
objectclass: changelog

Base64 Decode is like:
cn=MovePerson,ou=TestUnit,cn=Users,dc=co,dc=somewhere,dc=oh,dc=us                                  
moddn                                                                                               
newrdn:cn=MovePerson                                                                                
deleteoldrdn:4294967295                                                                             
newSupDN:ou=TestUnitTo,cn=Users,dc=co,dc=somewhere,dc=oh,dc=us  

No Referential Integrity#

We all got a laugh out of this one. Here Oracle, the DataBase king, does not use referential integrity in OID. This is in relation to entries of a syntax of DN. As an example:

• If a user is made a member of a group. So that the Group holds a uniqueMember value of the user's DN.
• The user is then deleted from OID.
• The Group STILL holds a uniqueMember value of the user's DN even though the user was deleted.

We also found this to be true when Groups were added to enterprise roles and then the group was deleted.

Word from an Oracle consultant is that this will be addresses in the next release.

More Information#

There might be more information for this subject on one of the following:

• DirXML and Oracle (OID)
• Oracle Internet Directory