I2A2 LDAP Attributes
LDAP servers generally exchange information with their clients via entities called attributes. Attributes have three
components: an attribute name (which may have nicknames), followed by an equal sign, followed by the attribute value.
It is beyond the scope of this treatment to cover all aspects of attribute composition. Consult the relevant
RFCs or the
"LDAP bible"
for more information on that subject.
Attributes Supplied to I2A2 LDAP
The following attributes may be supplied to the I2A2 LDAP protocol converter, either in a Distinguished Name (DN), Relative Distinguished Name (RDN) or in a filter.
chx -- identifies a characteristic expression. This attribute should be used in a filter, not in an RDN.
cn -- identifies a common name. This attribute should be used in a filter, not in an RDN.
puid -- identifies a Purdue University IDentifier.
uid -- identifies the alias of a PUID. The LDAP protocol calls this attribute the user ID and it
has been adopted by I2A2 LDAP, in lieu of defining a new attribute for alias.
Click on the attribute name to see a more complete description of the attribute.
The password for a bind request is not passed as an attribute value, but as part of the authentication
field of the bind request itself.
Attributes Supplied to I2A2 LDAP
The I2A2 LDAP protocol converter may deliver the following attributes to is calling LDAP client in an LDAP protocol reply.
chl -- identifies a list of characteristics. (CharList is an alias.) This attribute is returned in reply
to a search request only after a successful bind request has been completed in the same LDAP connection and only
if the search DN specifies the authorizer DBM (ou=authorize).
chv -- identifies a characteristic expression value. This attribute is returned only when the search
DN specifies the authorizer DBM (ou=authorize).
cn -- identifies a common name.
givenName -- identifies the given name, usually the first word of the common name.
puid -- identifies a Purdue University IDentifier.
sn -- identifies a surname attribute.
uid -- identifies the alias of a PUID. The LDAP protocol calls this attribute the user ID and it has
been adopted by I2A2 LDAP, in lieu of defining a new attribute for alias.
Click on the attribute name to see a more complete description of the attribute.
The Characteristic List Attribute (chl)
The characteristics list attribute contains a simple comma-separated list of characteristic numbers associated with a single PUID. It must be specifically requested by name in a search request. It is returned in the reply to a successful search request, but only after a successful bind request has been completed in the same LDAP connection and only if the search DN specifies the authorizer DBM (ou=authorize). Here's a sample value of a chl attribute:
0,13078,2066,3563,1536,13674,13680,13683,2029,2000,8133
The return of the characteristics list must be explicitly requested by specifying its chl or CharList attribute name in the search request. With the OpenLDAP ldapsearch(1) command, for example, chl is specified by naming it in the list of attributes at the end of the ldapsearch argument list.
$ ldapsearch -D ... -b ... -H ... puid chl cn
(CharList is an alias of chl.)
Consult your LDAP programming interface for its particular method of requesting returned attributes.
The Characteristic Expression Attribute (chx)
The characteristic expression attribute identifies an I2A2
characteristic Boolean expression. It
should only be used in an LDAP filter or a search request and only when the DN specifies the authorizer DBM
(ou=authorize). It should never be used in a DN or RDN.
Here's a complete chx attribute for testing the value of characteristic 1234 and 8765 for a PUID.
(chx=1234&8765)
(Filter expressions are normally enclosed in parentheses.) The above example will elicit a TRUE (1) response from the
authorization DBM only if the named PUID has both characteristics set to TRUE (1).
See Using Characteristic Expression
Filters for important information on how to use the chx attribute.
The Characteristic Expression Value Attribute (chv)
The result of the authorization DBM's testing of a characteristic expression is returned by the I2A2 LDAP protocol converter in a characteristic expression value attribute. If the expression of the previous example were to be TRUE (1), this would be returned:
chv=(1234&8765)=1
Special note: see the Characteristic Expression Filter Return Value discussion for a more complete explanation of when a chv attribute will be returned and when it will not be.
The Common Name Attribute (cn)
The common name attribute is normally used to specify the name of a person who is associated with a PUID or its alias. A complete use of the attribute takes this form:
cn=a person's common name
The characters in the common name are carefully specified by the LDAP protocol. In general, and unless special care is taken to "quote" them, avoid:
Comma (',')
Octothorpe ('#')
Plus sign ('+')
Double-quote('"')
Backslash ('\')
Less-than symbol ('<')
Greater-than symbol ('>')
Semicolon (';')
Consult the "LDAP bible" or the LDAP RFCs for more information on character usage in LDAP attributes, DNs, and RDNs.
The Given Name (givenName)
The givenName attribute is an attribute returned to the client by the I2A2 LDAP protocol converter. It the first word of the cn attribute. If, for example, the cn attribute contains this:
cn=alfred e newman
Then the givenName attribute would be:
givenName=alfred
See The Surname Attribute, sn for examples of how the givenName attribute is formed from the value of the cn attribute.
The PUID Attribute (puid)
The puid attribute accompanies a Purdue University IDentifier. Because the PUID is strictly a decimal number, the puid
attribute may be used to identify the alias to a PUID, but that practice is not recommended.
The puid attribute may be used in RDNs, DNs, and filters. It is also an attribute that the I2A2 LDAP protocol converter
returns to the client. Here's an example of a puid attribute in an RDN:
puid=10284869,ou=identify,dc=purdue,dc=edu
And here's an example of the same PUID as it might be returned in response to an LDAP search request:
puid=10284869
When the puid attribute is used in an I2A2 authentication request (ou=authenticate) it may optionally be followed by an "at" sign ('@') and an I2A2 authentication realm. Without this suffix the default realm becomes purdue, where coordinated career account login authentication information is maintained. Here's an example of an authentication DN where the default authentication realm is specified in the RDN:
puid=10284869@purdue,ou=authenticate,dc=purdue,dc=edu
The puid attribute may also be used as a term in an LDAP filter. Here's an example that shows the puid attribute used in a filter in an or combination with a chx attribute:
(|(puid=10284869)(chx=1234&8765))
When the same puid attribute is specified in the accompanying RDN, the above filter will insure that the chv attribute is always returned, whether its value is TRUE (1) or FALSE (0). See Characteristic Expression Filter Return Value for more information on that special case.
The Surname Attribute (sn)
The surname attribute, sn, is an attribute returned in response to a search request. Typically it is the last word of the accompanying common name attribute, but the rules that govern how the surname is extracted from the common name are more complex than that.
- After the first word is removed from the common name to be used as the value for the givenName attribute, the remainder of the common name is separated into words.
- If the next to the last word ends in a comma, and the last word is a common title -- e.g., Esq., Jr, Sr, I through X -- the comma is removed from the next to the last word and the last word is discarded.
- If exactly one word remains, it is the surname.
- If more than two words remain, the sequence of words up to but not including the last word that contains "al", "de", "dos", "di", "du", "el", "la", "le, "mac", "mc", "st", "van" or "von" are used as a prefix to the last word to form a multiple word surname.
Here are some examples of the extraction of givenName and sn attributes from a cn attribute:
cn=Jose C la Paz, IV
givenName=Jose
sn=la Paz
cn=Amos C de la Oz, VIII
givenName=Amos
sn=de la Oz
cn=Victor von A Howdo, Jr
givenName=victor
sn=Howdo
cn=Terry Mac Dermatologist
givenName=Terry
sn=Mac Dermatologist
cn=Thomas al Thumb
givenName=Thomas
sn=al Thumb
cn=Mary Messy
givenName=Mary
sn=Messy
The UserID Attribute (uid)
The uid attributed is used by I2A2 LDAP and its clients to exchange the
alias to the PUID. Thus, uid is an attribute
that may be supplied to I2A2 LDAP in a DN, an RDN, or a filter, and it will be returned by I2A2 LDAP in the request response.
In many input cases -- e.g., in an RDN -- the uid and puid attributes are synonymous, since they represent the same PUID.
Here are some equivalents.
puid=10284869 and uid=abe
puid=10284869 and uid=abe@purdue
puid=10284869@purdue and uid=abe
The uid attribute may also be used as a term in an LDAP filter. Here's an example that shows the uid attribute used in a filter in an or combination with a chx attribute:
(|(uid=abe)(chx=1234&8765))
When the same uid attribute is specified in the accompanying RDN, the above filter will insure that the chv attribute is always returned, whether its value is TRUE (1) or FALSE 0). See Characteristic Expression Filter Return Value for more information on that special case.