CAS Deref Plugin — UoA NOC Code

Known Issues

Extended Attribute Release

The Problem

The LDAP standard explicitly states that attributes and attribute values, are not ordered in any way. Thus, the same holds true for search results. Normally, this would not pose a problem. But with the usage of the dereference plugin, this might become an issue.

The dereference plugin works by reading an attribute holding a DN and then fetching this DN's attributes. But the attribute holding that DN might be multivalued, thus holding more than one DNs. In that case, the dereference plugin will fetch the requested attributes for each of the DNs found, ignoring any requested attributes which might not be present in any of those DNs. But the relation between the dereference DN and the corresponding fetched attribute might be of importance.

For example, picture the following scenario. The dereference attribute holds the DNs of the organizations a user belongs to. We request the plugin to fetch us the organization's name and the organization's telephone number. In the case of the name, the relation between the dereferenced DN and the dereferenced value (i.e.: the returned attribute) is not important. But in the second case, the telephone number, this is important, because (normally) we would like to know to which organization each phone number corresponds to.

Our Solution

We added an extra configuration option, available at deployerConfigContext.xml (the rest of the configuration is the same as in the previous section). The option is named "derefExtended", and will hold the attribute names which should be returned in an extended format. Those attributes should be also present in the "deref" option or their presence would make no sense (and no difference also, any invalid attribute names are ignored). Of course, the extra extended returned attributes must be mapped to a name to be returned, which must always have a key name in the form: derefAttrName.attrName.extended .

For example, it could be something like this:

<bean id="attributeRepository"
 class="org.jasig.services.persondir.support.ldap.DereferenceAwareLdapPersonAttributeDao" >
...
<property name="deref">
    <map>
        <entry key="eduPersonOrgUnitDN" value="cn"/>
    </map>
</property>

<property name="derefExtended">
    <map>
        <entry key="eduPersonOrgUnitDN" value="cn"/>
    </map>
</property>

...
<property name="resultAttributeMapping">
<map>
<entry key="eduPersonOrgUnitDN.cn" value="Department Name"/>
<entry key="eduPersonOrgUnitDN.cn.extended" value="Department Name Extended"/>
</map>
...
...
...
</map>
</property>
</bean>

The returned extended attributes are attributes (single- or multi-valued), containing strings of the following format:
dereferenceAttributeName:dereferenceAttributeValue < dereferencedAttributeValue >
For example:
eduPersonOrgUnitDN:ou=IT,ou=groups,dc=example,dc=com< Information Technology >eduPersonOrgUnitDN:ou=HR,ou=groups,dc=example,dc=com< Human Resources >