directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Directory Server v1.5: 1.3. The Administrative Model (page edited)
Date Wed, 19 Nov 2008 23:03:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence" />
    <style type="text/css">
    <!--
    body, p, td, table, tr, .bodytext, .stepfield {
	font-family: Verdana, arial, sans-serif;
	font-size: 11px;
	line-height: 16px;
	color: #000000;
	font-weight: normal;
}
#PageContent {
	text-align: left;
	background-color: #fff;
	padding: 0px;
	margin: 0px;
    padding-bottom:20px;
}
/*
** when this stylesheet is used for the Tiny MCE Wysiwyg editor's edit area, we can't
** use an id=PageContent or class=wiki-content, so we must
** set the body style to that used for PageContent, and p to that used for wiki-content.
*/

body {
	margin: 0px;
	padding: 0px;
	text-align: center;
    background-color: #f0f0f0;
}

@media print {

body {
    background-color: #fff;
}

}

.monospaceInput {
    font:12px monospace
}

.wiki-content p, .commentblock p {
    margin: 16px 0px 16px 0px;
    padding: 0px;
}

.wiki-content-preview {
    padding: 5px;
    border-left: 1px solid #3c78b5;
    border-right: 1px solid #3c78b5;
}

ul, ol {
    margin-top: 2px;
    margin-bottom: 2px;
    padding-top: 0px;
    padding-bottom: 0px;
}

pre {
    padding: 0px;
    margin-top: 5px;
    margin-left: 15px;
    margin-bottom: 5px;
    margin-right: 5px;
    text-align: left;
}

.helpheading {
    font-weight: bold;
    background-color: #D0D9BD;
        border-bottom: 1px solid #3c78b5;
        padding: 4px 4px 4px 4px;
        margin: 0px;
        margin-top: 10px;
}
.helpcontent {
        padding: 4px 4px 20px 4px;
    background-color: #f5f7f1;
}

.code {
 	border: 1px dashed #3c78b5;
    font-size: 11px;
	font-family: Courier;
    margin: 10px;
	line-height: 13px;
}

.focusedComment {
    background: #ffffce;
}

.commentBox, .focusedComment {
    padding: 10px;
    margin: 5px 0 5px 0;
    border: 1px #bbb solid;
}

.codeHeader {
    background-color: #f0f0f0;
 	border-bottom: 1px dashed #3c78b5;
    padding: 3px;
	text-align: center;
}

.codeContent {
    text-align: left;
    background-color: #f0f0f0;
    padding: 3px;
}

.preformatted {
 	border: 1px dashed #3c78b5;
    font-size: 11px;
	font-family: Courier;
    margin: 10px;
	line-height: 13px;
}

.preformattedHeader {
    background-color: #f0f0f0;
 	border-bottom: 1px dashed #3c78b5;
    padding: 3px;
	text-align: center;
}

.preformattedContent {
    background-color: #f0f0f0;
    padding: 3px;
}

.panel {
 	border: 1px dashed #3c78b5;
    margin: 10px;
    margin-top: 0px;
}

.panelHeader {
    background-color: #f0f0f0;
 	border-bottom: 1px dashed #3c78b5;
    padding: 3px;
	text-align: center;
}

.panelContent {
    background-color: #f0f0f0;
    padding: 5px;
}

.anonymousAlert {
    background-color: #f0f0f0;
 	border: 1px dashed red;
    font-size: 11px;
    padding: 10px 5px 10px 5px;
    margin: 4px;
	line-height: 13px;
}

.lockAlert {
    background-color: #f0f0f0;
    width: 50%;
 	border: 1px dashed red;
    font-size: 11px;
    padding: 10px 5px 10px 5px;
    margin: 4px;
	line-height: 13px;
}


.code-keyword {
  color: #000091;
  background-color: inherit;
}

.code-object {
  color: #910091;
  background-color: inherit;
}

.code-quote {
  color: #009100;
  background-color: inherit;
}

.code-comment {
  color: #808080;
  background-color: inherit;
}


.code-xml .code-keyword {
  color: inherit;
  font-weight: bold;
}

.code-tag {
  color: #000091;
  background-color: inherit;
}

.breadcrumbs {
    background-color: #f0f0f0;
 	border-color: #3c78b5;
	border-width: 1px 0px 1px 0px;
	border-style: solid;
    font-size: 11px;
    padding: 3px 0px 3px 0px;
}

.navmenu {
    border: 1px solid #ccc;
}

.menuheading {
    font-weight: bold;
    background-color: #f0f0f0;
 	border-bottom: 1px solid #3c78b5;
	padding: 4px 4px 2px 4px;
}

.menuitems {
	padding: 4px 4px 20px 4px;
}

.rightpanel {
    border-left: 1px solid #ccc;
    border-bottom: 1px solid #ccc;
}

#helpheading {
    text-align: left;
    font-weight: bold;
    background-color: #D0D9BD;
 	border-bottom: 1px solid #3c78b5;
	padding: 4px 4px 4px 4px;
	margin: 0px;
}
#helpcontent {
	padding: 4px 4px 4px 4px;
    background-color: #f5f7f1;
}
.helptab-unselected {
    font-weight: bold;
	padding: 5px;
    background-color: #f5f7f1;
}
.helptab-selected {
    font-weight: bold;
    background-color: #D0D9BD;
	padding: 5px;
}
.helptabs {
    margin: 0px;
    background-color: #f5f7f1;
	padding: 5px;
}
.infopanel-heading {
    font-weight: bold;
	padding: 4px 0px 2px 0px;
}

.pagebody {
}

.pageheader {
	padding: 5px 5px 5px 0px;
 	border-bottom: 1px solid #3c78b5;
}

.pagetitle {
	font-size: 22px;
	font-weight: bold;
	font-family: Arial, sans-serif;
	color: #003366;
}

.newpagetitle {
    color: #ccc !important;
}

.steptitle {
	font-size: 18px;
	font-weight: bold;
	font-family: Arial, sans-serif;
	color: #003366;
	margin-bottom: 7px;
}

.substeptitle {
    font-size: 12px;
    font-weight: bold;
    font-family: Arial, sans-serif;
    color: #003366;
    margin: 2px 4px 4px 4px;
    padding: 2px 4px 1px 4px;
}

.stepdesc {
    font-family: Verdana, arial, sans-serif;
	font-size: 11px;
	line-height: 16px;
	font-weight: normal;
    color: #666666;
    margin-top: 7px;
    margin-bottom: 7px;
}

.steplabel {
    font-weight: bold;
    margin-right: 4px;
    color: black;
    float: left;
    width: 15%;
    text-align: right;
}

.stepfield {
    background: #f0f0f0;
    padding: 5px;
}

.submitButtons{
    margin-top:5px;
    text-align:right;
}

.formtitle {
	font-size: 12px;
	font-weight: bold;
	font-family: Arial, sans-serif;
	color: #003366;
}

.sectionbottom {
    border-bottom: 1px solid #3c78b5;
}

.topRow {
    border-top: 2px solid #3c78b5;
}

.tabletitle {
	font-size: 14px;
	font-weight: bold;
	font-family: Arial, sans-serif;
    padding: 3px 0px 2px 0px;
    margin: 8px 4px 2px 0px;
	color: #003366;
	border-bottom: 2px solid #3c78b5;
}
.pagesubheading {
    color: #666666;
    font-size: 10px;
    padding: 0px 0px 5px 0px;
}

HR {
	color: 3c78b5;
	height: 1;
}

A:link, A:visited, A:active, A:hover {
	color: #003366;
}

h1 A:link, h1 A:visited, h1 A:active {
	text-decoration: none;
}

h1 A:hover {
    border-bottom: 1px dotted #003366;
}

.wiki-content > :first-child, .commentblock > :first-child {
    margin-top: 3px;
}

.logocell {
    padding: 10px;
}

input {
	font-family: verdana, geneva, arial, sans-serif;
	font-size: 11px;
	color: #000000;
}

textarea, textarea.editor {
	font-family: verdana, geneva, arial, sans-serif;
	font-size: 11px;
	color: #333333;
}

/* use logoSpaceLink instead.
.spacenametitle {
	font: 21px/31px Impact, Arial, Helvetica;
    font-weight: 100;
    color: #999999;
	margin: 0px;
}
.spacenametitle img {
  margin: 0 0 -4px 0;
}
.spacenametitle a {
    text-decoration: none;
    color: #999999;
}
.spacenametitle a:visited {
    text-decoration: none;
    color: #999999;
}*/

.spacenametitle-printable {
	font: 20px/25px Impact, Arial, Helvetica;
    font-weight: 100;
    color: #999999;
	margin: 0px;
}
.spacenametitle-printable a {
    text-decoration: none;
    color: #999999;
}
.spacenametitle-printable a:visited {
    text-decoration: none;
    color: #999999;
}

.blogDate {
	font-weight: bold;
	text-decoration: none;
	color: black;
}

.blogSurtitle {
    background: #f0f0f0;
 	border: 1px solid #ddd;
	padding: 3px;
	margin: 1px 1px 10px 1px;
}

.blogHeading {
    font-size: 20px;
    line-height: normal;
    font-weight: bold;
    padding: 0px;
    margin: 0px;
}

.blogHeading a {
   text-decoration: none;
   color: black;
}

.endsection {
	align: right;
	color: #666666;
	margin-top: 10px;
}
.endsectionleftnav {
	align: right;
	color: #666666;
	margin-top: 10px;
}

h1 {
	font-size: 24px;
	line-height: normal;
	font-weight: bold;
	background-color: #f0f0f0;
	color: #003366;
 	border-bottom: 1px solid #3c78b5;
	padding: 2px;
	margin: 36px 0px 4px 0px;
}

h2 {
	font-size: 18px;
	line-height: normal;
	font-weight: bold;
	background-color: #f0f0f0;
 	border-bottom: 1px solid #3c78b5;
	padding: 2px;
	margin: 27px 0px 4px 0px;
}

h3 {
	font-size: 14px;
	line-height: normal;
	font-weight: bold;
	background-color: #f0f0f0;
	padding: 2px;
	margin: 21px 0px 4px 0px;
}

h4 {
	font-size: 12px;
	line-height: normal;
	font-weight: bold;
	background-color: #f0f0f0;
	padding: 2px;
	margin: 18px 0px 4px 0px;
}

h4.search {
	font-size: 12px;
	line-height: normal;
	font-weight: normal;
	background-color: #f0f0f0;
	padding: 4px;
	margin: 18px 0px 4px 0px;
}

h5 {
	font-size: 10px;
	line-height: normal;
	font-weight: bold;
	background-color: #f0f0f0;
	padding: 2px;
	margin: 14px 0px 4px 0px;
}

h6 {
	font-size: 8px;
	line-height: normal;
	font-weight: bold;
	background-color: #f0f0f0;
	padding: 2px;
	margin: 14px 0px 4px 0px;
}

.smallfont {
    font-size: 10px;
}
.descfont {
    font-size: 10px;
    color: #666666;
}
.smallerfont {
    font-size: 9px;
}
.smalltext {
    color: #666666;
    font-size: 10px;
}
.smalltext a {
    color: #666666;
}
.smalltext-blue {
    color: #3c78b5;
    font-size: 10px;
}
.surtitle {
    margin-left: 1px;
    margin-bottom: 5px;
    font-size: 14px;
    color: #666666;
}

/* css hack found here:  http://www.fo3nix.pwp.blueyonder.co.uk/tutorials/css/hacks/ */
.navItemOver { font-size: 10px; font-weight: bold; color: #ffffff; background-color: #003366; cursor: hand; voice-family: '\'}\''; voice-family:inherit; cursor: pointer;}
.navItemOver a { color: #ffffff; background-color:#003366; text-decoration: none; }
.navItemOver a:visited { color: #ffffff; background-color:#003366; text-decoration: none; }
.navItemOver a:hover { color: #ffffff; background-color:#003366; text-decoration: none; }
.navItem { font-size: 10px; font-weight: bold; color: #ffffff; background-color: #3c78b5; }
.navItem a { color: #ffffff; text-decoration: none; }
.navItem a:hover { color: #ffffff; text-decoration: none; }
.navItem a:visited { color: #ffffff; text-decoration: none; }

div.padded { padding: 4px; }
div.thickPadded { padding: 10px; }
h3.macrolibrariestitle {
    margin: 0px 0px 0px 0px;
}

div.centered { text-align: center; margin: 10px; }
div.centered table {margin: 0px auto; text-align: left; }

.tableview table {
    margin: 0;
}

.tableview th {
    text-align: left;
    color: #003366;
    font-size: 12px;
    padding: 5px 0px 0px 5px;
    border-bottom: 2px solid #3c78b5;
}
.tableview td {
    text-align: left;
    border-color: #ccc;
    border-width: 0px 0px 1px 0px;
    border-style: solid;
    margin: 0;
    padding: 4px 10px 4px 5px;
}

.grid {
    margin: 2px 0px 5px 0px;
    border-collapse: collapse;
}
.grid th  {
    border: 1px solid #ccc;
    padding: 2px 4px 2px 4px;
    background: #f0f0f0;
    text-align: center;
}
.grid td  {
    border: 1px solid #ccc;
    padding: 3px 4px 3px 4px;
}
.gridHover {
	background-color: #f9f9f9;
}

td.infocell {
    background-color: #f0f0f0;
}
.label {
	font-weight: bold;
	color: #003366;
}

label {
	font-weight: bold;
	color: #003366;
}

.error {
	background-color: #fcc;
}

.errorBox {
	background-color: #fcc;
    border: 1px solid #c00;
    padding: 5px;
    margin: 5px;
}

.errorMessage {
	color: #c00;
}

.success {
	background-color: #dfd;
}

.successBox {
	background-color: #dfd;
    border: 1px solid #090;
    padding: 5px;
    margin-top:5px;
    margin-bottom:5px;
}

blockquote {
	padding-left: 10px;
	padding-right: 10px;
	margin-left: 5px;
	margin-right: 0px;
	border-left: 1px solid #3c78b5;
}

table.confluenceTable
{
    margin: 5px;
    border-collapse: collapse;
}

/* Added as a temporary fix for CONF-4223. The table elements appear to be inheriting the border: none attribute from the sectionMacro class */
table.confluenceTable td.confluenceTd
{
    border-width: 1px;
    border-style: solid;
    border-color: #ccc;
    padding: 3px 4px 3px 4px;
}

/* Added as a temporary fix for CONF-4223. The table elements appear to be inheriting the border: none attribute from the sectionMacro class */
table.confluenceTable th.confluenceTh
{
    border-width: 1px;
    border-style: solid;
    border-color: #ccc;
    padding: 3px 4px 3px 4px;
    background-color: #f0f0f0;
    text-align: center;
}

td.confluenceTd
{
    border-width: 1px;
    border-style: solid;
    border-color: #ccc;
    padding: 3px 4px 3px 4px;
}

th.confluenceTh
{
    border-width: 1px;
    border-style: solid;
    border-color: #ccc;
    padding: 3px 4px 3px 4px;
    background-color: #f0f0f0;
    text-align: center;
}

DIV.small {
	font-size: 9px;
}

H1.pagename {
	margin-top: 0px;
}

IMG.inline  {}

.loginform {
    margin: 5px;
    border: 1px solid #ccc;
}

/* The text how the "This is a preview" comment should be shown. */
.previewnote { text-align: center;
                font-size: 11px;
                    color: red; }

/* How the preview content should be shown */
.previewcontent { background: #E0E0E0; }

/* How the system messages should be shown (DisplayMessage.jsp) */
.messagecontent { background: #E0E0E0; }

/* How the "This page has been modified..." -comment should be shown. */
.conflictnote { }

.createlink {
    color: maroon;
}
a.createlink {
    color: maroon;
}
.templateparameter {
    font-size: 9px;
    color: darkblue;
}

.diffadded {
    background: #ddffdd;
    padding: 1px 1px 1px 4px;
	border-left: 4px solid darkgreen;
}
.diffdeleted {
    color: #999;
    background: #ffdddd;
    padding: 1px 1px 1px 4px;
	border-left: 4px solid darkred;
}
.diffnochange {
    padding: 1px 1px 1px 4px;
	border-left: 4px solid lightgrey;
}
.differror {
    background: brown;
}
.diff {
    font-family: lucida console, courier new, fixed-width;
	font-size: 12px;
	line-height: 14px;
}
.diffaddedchars {
    background-color:#99ff99;
    font-weight:bolder;
}
.diffremovedchars {
    background-color:#ff9999;
    text-decoration: line-through;
    font-weight:bolder;
}

.greybackground {
    background: #f0f0f0
}

.greybox {
 	border: 1px solid #ddd;
	padding: 3px;
	margin: 1px 1px 10px 1px;
}

.borderedGreyBox {
    border: 1px solid #cccccc;
    background-color: #f0f0f0;
    padding: 10px;
}

.greyboxfilled {
 	border: 1px solid #ddd;
    background: #f0f0f0;
    padding: 3px;
	margin: 1px 1px 10px 1px;
}

.navBackgroundBox {
    padding: 5px 5px 5px 5px;
    font-size: 22px;
	font-weight: bold;
	font-family: Arial, sans-serif;
	color: white;
    background: #3c78b5;
    text-decoration: none;
}

.previewBoxTop {
	background-color: #f0f0f0;
    border-width: 1px 1px 0px 1px;
    border-style: solid;
    border-color: #3c78b5;
    padding: 5px;
    margin: 5px 0px 0px 0px;
    text-align: center;
}
.previewContent {
    background-color: #fff;
 	border-color: #3c78b5;
	border-width: 0px 1px 0px 1px;
	border-style: solid;
	padding: 10px;
	margin: 0px;
}
.previewBoxBottom {
	background-color: #f0f0f0;
    border-width: 0px 1px 1px 1px;
    border-style: solid;
    border-color: #3c78b5;
    padding: 5px;
    margin: 0px 0px 5px 0px;
    text-align: center;
}

.functionbox {
    background-color: #f0f0f0;
 	border: 1px solid #3c78b5;
	padding: 3px;
	margin: 1px 1px 10px 1px;
}

.functionbox-greyborder {
    background-color: #f0f0f0;
 	border: 1px solid #ddd;
	padding: 3px;
	margin: 1px 1px 10px 1px;
}

.search-highlight {
    background-color: #ffffcc;
}

/* normal (white) background */
.rowNormal {
    background-color: #ffffff;
 }

/* alternate (pale yellow) background */
.rowAlternate {
    background-color: #f7f7f7;
}

/* used in the list attachments table */
.rowAlternateNoBottomColor {
    background-color: #f7f7f7;
}

.rowAlternateNoBottomNoColor {
}

.rowAlternateNoBottomColor td {
    border-bottom: 0px;
}

.rowAlternateNoBottomNoColor td {
    border-bottom: 0px;
}

/* row highlight (grey) background */
.rowHighlight {
    background-color: #f0f0f0;

}

TD.greenbar {FONT-SIZE: 2px; BACKGROUND: #00df00; BORDER: 1px solid #9c9c9c; PADDING: 0px; }
TD.redbar {FONT-SIZE: 2px; BACKGROUND: #df0000; BORDER: 1px solid #9c9c9c; PADDING: 0px; }
TD.darkredbar {FONT-SIZE: 2px; BACKGROUND: #af0000; BORDER: 1px solid #9c9c9c; PADDING: 0px; }

TR.testpassed {FONT-SIZE: 2px; BACKGROUND: #ddffdd; PADDING: 0px; }
TR.testfailed {FONT-SIZE: 2px; BACKGROUND: #ffdddd; PADDING: 0px; }

.toolbar  {
    margin: 0px;
    border-collapse: collapse;
}

.toolbar td  {
    border: 1px solid #ccc;
    padding: 2px 2px 2px 2px;
    color: #ccc;
}

td.noformatting {
    border-width: 0px;
    border-style: none;
    text-align: center;
	padding: 0px;
}

.commentblock {
    margin: 12px 0 12px 0;
}

/*
 * Divs displaying the license information, if necessary.
 */
.license-eval, .license-none, .license-nonprofit {
    border-top: 1px solid #bbbbbb;
    text-align: center;
    font-size: 10px;
    font-family: Verdana, Arial, Helvetica, sans-serif;
}

.license-eval, .license-none {
    background-color: #ffcccc;
}

.license-eval b, .license-none b {
    color: #990000
}

.license-nonprofit {
    background-color: #ffffff;
}

/*
 * The shadow at the bottom of the page between the main content and the
 * "powered by" section.
 */
.bottomshadow {
    height: 12px;
    background-image: url("$req.contextPath/images/border/border_bottom.gif");
    background-repeat: repeat-x;
}

/*
 * Styling of the operations box
 */
.navmenu .operations li, .navmenu .operations ul {
    list-style: none;
    margin-left: 0;
    padding-left: 0;
}

.navmenu .operations ul {
    margin-bottom: 9px;
}

.navmenu .label {
    font-weight: inherit;
}

/*
 * Styling of ops as a toolbar
 */
.toolbar div {
    display: none;
}

.toolbar .label {
    display: none;
}

.toolbar .operations {
    display: block;
}

.toolbar .operations ul {
    display: inline;
    list-style: none;
    margin-left: 10px;
    padding-left: 0;
}

.toolbar .operations li {
    list-style: none;
    display: inline;
}

/* list page navigational tabs */
#foldertab {
padding: 3px 0px 3px 8px;
margin-left: 0;
border-bottom: 1px solid #3c78b5;
font: bold 11px Verdana, sans-serif;
}

#foldertab li {
list-style: none;
margin: 0;
display: inline;
}

#foldertab li a {
padding: 3px 0.5em;
margin-left: 3px;
border: 1px solid #3c78b5;
border-bottom: none;
background: #3c78b5;
text-decoration: none;
}

#foldertab li a:link { color: #ffffff; }
#foldertab li a:visited { color: #ffffff; }

#foldertab li a:hover {
color: #ffffff;
background: #003366;
border-color: #003366;
}

#foldertab li a.current {
background: white;
border-bottom: 1px solid white;
color: black;
}

#foldertab li a.current:link { color: black; }
#foldertab li a.current:visited { color: black; }
#foldertab li a.current:hover {
background: white;
border-bottom: 1px solid white;
color: black;
}

/* alphabet list */
ul#squaretab {
margin-left: 0;
padding-left: 0;
white-space: nowrap;
font: bold 8px Verdana, sans-serif;
}

#squaretab li {
display: inline;
list-style-type: none;
}

#squaretab a {
padding: 2px 6px;
border: 1px solid #3c78b5;
}

#squaretab a:link, #squaretab a:visited {
color: #fff;
background-color: #3c78b5;
text-decoration: none;
}

#squaretab a:hover {
color: #ffffff;
background-color: #003366;
border-color: #003366;
text-decoration: none;
}

#squaretab li a#current {
background: white;
color: black;
}

.blogcalendar * {
    font-family:verdana, arial, sans-serif;
    font-size:x-small;
    font-weight:normal;
    line-height:140%;
    padding:2px;
}


table.blogcalendar {
    border: 1px solid #3c78b5;
}

.blogcalendar th.calendarhead, a.calendarhead {
    font-size:x-small;
    font-weight:bold;
    padding:2px;
    text-transform:uppercase;
    background-color: #3c78b5;
    color: #ffffff;
    letter-spacing: .3em;
    text-transform: uppercase;
}

.calendarhead:visited {color: white;}
.calendarhead:active {color: white;}
.calendarhead:hover {color: white;}

.blogcalendar th {
    font-size:x-small;
    font-weight:bold;
    padding:2px;
    background-color:#f0f0f0;
}

.blogcalendar td {
    font-size:x-small;
    font-weight:normal;
}

.searchGroup { padding: 0 0 10px 0; background: #f0f0f0; }
.searchGroupHeading { font-size: 10px; font-weight: bold; color: #ffffff; background-color: #3c78b5; padding: 2px 4px 1px 4px; }
.searchItem { padding: 1px 4px 1px 4px; }
.searchItemSelected { padding: 1px 4px 1px 4px; font-weight: bold; background: #ddd; }

/* permissions page styles */
.permissionHeading {
    border-bottom: #bbb; border-width: 0 0 1px 0; border-style: solid; font-size: 16px; text-align: left;
}
.permissionTab {
    border-width: 0 0 0 1px; border-style: solid; background: #3c78b5; color: #ffffff; font-size: 10px;
}
.permissionSuperTab {
    border-width: 0 0 0 1px; border-style: solid; background: #003366; color: #ffffff;
}
.permissionCell {
    border-left: #bbb; border-width: 0 0 0 1px; border-style: solid;
}

/* warning panel */
.warningPanel { background: #FFFFCE; border:#F0C000 1px solid; padding: 8px; margin: 10px; }
/* alert panel */
.alertPanel { background: #FFCCCC; border:#C00 1px solid; padding: 8px; margin: 10px; }
/* info panel */
.infoPanel { background: #D8E4F1; border:#3c78b5 1px solid; padding: 8px; margin: 10px; }

/* side menu highlighting (e.g. space content screen) */
.optionPadded { padding: 2px; }
.optionSelected { background-color: #ffffcc; padding: 2px; border: 1px solid #ddd; margin: -1px; }
.optionSelected a { font-weight: bold; text-decoration: none; color: black; }

/* information macros */
.noteMacro { border-style: solid; border-width: 1px; border-color: #F0C000; background-color: #FFFFCE; text-align:left; margin-top: 5px; margin-bottom: 5px}
.warningMacro { border-style: solid; border-width: 1px; border-color: #c00; background-color: #fcc; text-align:left; margin-top: 5px; margin-bottom: 5px}
.infoMacro { border-style: solid; border-width: 1px; border-color: #3c78b5; background-color: #D8E4F1; text-align:left; margin-top: 5px; margin-bottom: 5px}
.tipMacro { border-style: solid; border-width: 1px; border-color: #090; background-color: #dfd; text-align:left; margin-top: 5px; margin-bottom: 5px}
.informationMacroPadding { padding: 5px 0 0 5px; }

table.infoMacro td, table.warningMacro td, table.tipMacro td, table.noteMacro td, table.sectionMacro td {
    border: none;
}

table.sectionMacroWithBorder td.columnMacro { border-style: dashed; border-width: 1px; border-color: #cccccc;}

.pagecontent
{
    padding: 10px;
    text-align: left;
}

/* styles for links in the top bar */
.topBarDiv a:link {color: #ffffff;}
.topBarDiv a:visited {color: #ffffff;}
.topBarDiv a:active {color: #ffffff;}
.topBarDiv a:hover {color: #ffffff;}
.topBarDiv {color: #ffffff;}

.topBar {
    background-color: #003366;
}


/* styles for extended operations */
.greyLinks a:link {color: #666666; text-decoration:underline;}
.greyLinks a:visited {color: #666666; text-decoration:underline;}
.greyLinks a:active {color: #666666; text-decoration:underline;}
.greyLinks a:hover {color: #666666; text-decoration:underline;}
.greyLinks {color: #666666; display:block; padding: 10px}

.logoSpaceLink {color: #999999; text-decoration: none}
.logoSpaceLink a:link {color: #999999; text-decoration: none}
.logoSpaceLink a:visited {color: #999999; text-decoration: none}
.logoSpaceLink a:active {color: #999999; text-decoration: none}
.logoSpaceLink a:hover {color: #003366; text-decoration: none}

/* basic panel (basicpanel.vmd) style */
.basicPanelContainer {border: 1px solid #3c78b5; margin-top: 2px; margin-bottom: 8px; width: 100%}
.basicPanelTitle {padding: 5px; margin: 0px; background-color: #f0f0f0; color: black; font-weight: bold;}
.basicPanelBody {padding: 5px; margin: 0px}

.separatorLinks a:link {color: white}
.separatorLinks a:visited {color: white}
.separatorLinks a:active {color: white}

.greynavbar {background-color: #f0f0f0; border-top: 1px solid #3c78b5; margin-top: 2px}

div.headerField {
    float: left;
    width: auto;
    height: 100%;
}

.headerFloat {
    margin-left: auto;
    width: 50%;
}

.headerFloatLeft {
    float: left;
    margin-right: 20px;
    margin-bottom: 10px;
}

#headerRow {
    padding: 10px;
}

div.license-personal {
   background-color: #003366;
   color: #ffffff;
}

div.license-personal a {
   color: #ffffff;
}

.greyFormBox {
    border: 1px solid #cccccc;
    padding: 5px;
}

/* IE automatically adds a margin before and after form tags. Use this style to remove that */
.marginlessForm {
    margin: 0px;
}

.openPageHighlight {
    background-color: #ffffcc;
    padding: 2px;
    border: 1px solid #ddd;
}

.editPageInsertLinks, .editPageInsertLinks a
{
    color: #666666;
    font-weight: bold;
    font-size: 10px;
}

/* Style for label heatmap. */
.top10 a {
    font-weight: bold;
    font-size: 2em;
    color: #003366;
}
.top25 a {
    font-weight: bold;
    font-size: 1.6em;
    color: #003366;
}
.top50 a {
    font-size: 1.4em;
    color: #003366;
}
.top100 a {
    font-size: 1.2em;
    color: #003366;
}

.heatmap {
    list-style:none;
    width: 95%;
    margin: 0px auto;
}

.heatmap a {
    text-decoration:none;
}

.heatmap a:hover {
    text-decoration:underline;
}

.heatmap li {
    display: inline;
}

.minitab {
padding: 3px 0px 3px 8px;
margin-left: 0;
margin-top: 1px;
margin-bottom: 0px;
border-bottom: 1px solid #3c78b5;
font: bold 9px Verdana, sans-serif;
text-decoration: none;
float:none;
}
.selectedminitab {
padding: 3px 0.5em;
margin-left: 3px;
margin-top: 1px;
border: 1px solid #3c78b5;
background: white;
border-bottom: 1px solid white;
color: #000000;
text-decoration: none;
}
.unselectedminitab {
padding: 3px 0.5em;
margin-left: 3px;
margin-top: 1px;
border: 1px solid #3c78b5;
border-bottom: none;
background: #3c78b5;
color: #ffffff;
text-decoration: none;
}

a.unselectedminitab:hover {
color: #ffffff;
background: #003366;
border-color: #003366;
}

a.unselectedminitab:link { color: white; }
a.unselectedminitab:visited { color: white; }

a.selectedminitab:link { color: black; }
a.selectedminitab:visited { color: black; }

.linkerror { background-color: #fcc;}

a.labelOperationLink:link {text-decoration: underline}
a.labelOperationLink:active {text-decoration: underline}
a.labelOperationLink:visited {text-decoration: underline}
a.labelOperationLink:hover {text-decoration: underline}

a.newLabel:link {background-color: #ddffdd}
a.newLabel:active {background-color: #ddffdd}
a.newLabel:visited {background-color: #ddffdd}
a.newLabel:hover {background-color: #ddffdd}

ul.square {list-style-type: square}

.inline-control-link {
    background: #ffc;
    font-size: 9px;
    color: #666;
    padding: 2px;
    text-transform: uppercase;
    text-decoration: none;
}


.inline-control-link a:link {text-decoration: none}
.inline-control-link a:active {text-decoration: none}
.inline-control-link a:visited {text-decoration: none}
.inline-control-link a:hover {text-decoration: none}

.inline-control-link {
    background: #ffc;
    font-size: 9px;
    color: #666;
    padding: 2px;
    text-transform: uppercase;
    text-decoration: none;
    cursor: pointer;
}

div.auto_complete {
    width: 350px;
    background: #fff;
}
div.auto_complete ul {
    border: 1px solid #888;
    margin: 0;
    padding: 0;
    width: 100%;
    list-style-type: none;
}
div.auto_complete ul li {
    margin: 0;
    padding: 3px;
}
div.auto_complete ul li.selected {
    background-color: #ffb;
}
div.auto_complete ul strong.highlight {
    color: #800;
    margin: 0;
    padding: 0;
}

/******* Edit Page Styles *******/
.toogleFormDiv{
    border:1px solid #A7A6AA;
    background-color:white;
    padding:5px;
    margin-top: 5px;
}

.toogleInfoDiv{
    border:1px solid #A7A6AA;
    background-color:white;
    display:none;
    padding:5px;
    margin-top: 10px;
}

.inputSection{
    margin-bottom:20px;
}

#editBox{
   border:1px solid lightgray;
   background-color:#F0F0F0;
}

/******* Left Navigation Theme Styles ********/
.leftnav li a {
    text-decoration:none;
    color:white;
    margin:0px;
    display:block;
    padding:2px;
    padding-left:5px;
    background-color: #3c78b5;
    border-top:1px solid #3c78b5;
}

.leftnav li a:active {color:white;}
.leftnav li a:visited {color:white;}
.leftnav li a:hover {background-color: #003366; color:white;}

/* Added by Shaun during i18n */
.replaced
{
    background-color: #33CC66;
}

.topPadding
{
    margin-top: 20px;
}

/* new form style */
.form-block {
    padding: 6px;
}
.form-error-block {
    padding: 6px;
    background: #fcc;
    border-top: #f0f0f0 1px solid;
    border-bottom: #f0f0f0 1px solid;
    margin-bottom: 6px;
    padding: 0 12px 0 12px;
}
.form-element-large {
    font-size: 16px;
    font-weight: bold;
    font-family: Arial, sans-serif;
    color: #003366;
}

.form-element-small {
    font-size: 12px;
    font-weight: bold;
    font-family: Arial, sans-serif;
    color: #003366;
}

.form-header {
    background: lightyellow;
    border-top: #f0f0f0 1px solid;
    border-bottom: #f0f0f0 1px solid;
    margin-bottom: 6px;
    padding: 0 12px 0 12px;
}
.form-header p, .form-block p, .form-error-block p {
    line-height: normal;
    margin: 12px 0 12px 0;
}
.form-example {
    color: #888;
    font-size: 11px;
}
.form-divider {
    border-bottom: #ccc 1px solid;
    margin-bottom: 6px;
}
.form-buttons {
    margin-top: 6px;
    border-top: #ccc 1px solid;
    border-bottom: #ccc 1px solid;
    background: #f0f0f0;
    padding: 10px;
    text-align: center;
}
.form-buttons input {
    width: 100px;
}
.form-block .error {
    padding: 6px;
    margin-bottom: 6px;
}
    -->
    </style>
</head>
<body>

<div id="PageContent">
<table class="pagecontent" border="0" cellpadding="0" cellspacing="0" width="100%"><tr>
<td valign="top" class="pagebody">

    <div class="pageheader">
        <span class="pagetitle">
            Page Edited :
            <a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11">DIRxSRVx11</a> :
            <a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11/1.3.+The+Administrative+Model">1.3. The Administrative Model</a>
        </span>
    </div>

     <p>
        <a href="http://cwiki.apache.org/confluence/display/DIRxSRVx11/1.3.+The+Administrative+Model">1.3. The Administrative Model</a>
        has been edited by             <a href="http://cwiki.apache.org/confluence/display/~elecharny">Emmanuel Lécharny</a>
            <span class="smallfont">(Nov 19, 2008)</span>.
     </p>
    
     <p>
                 <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=55219&originalVersion=5&revisedVersion=6">(View changes)</a>
     </p>

    <span class="label">Content:</span><br/>
    <div class="greybox wiki-content"><table cellpadding='5' width='85%' cellspacing='8px' class='noteMacro' border="0" align='center'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td><b class="strong">Work in progress</b><br />
<p>This site is in the process of being reviewed and updated.</p></td></tr></table>
<table cellpadding='5' width='85%' cellspacing='8px' class='warningMacro' border="0" align='center'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td><b class="strong">Warning</b><br />
<p>This page needs to be overworked</p></td></tr></table>

<h2><a name="1.3.TheAdministrativeModel-Introduction"></a>Introduction</h2>

<p>Subentries are used for managing the administration of different aspects of the directory.  LDAP has just recently formalized the notion of subentires in <span class="nobr"><a href="http://www.faqs.org/rfcs/rfc3672.html" title="Visit page outside Confluence" rel="nofollow">RFC 3672<sup><img class="rendericon" src="/confluence/images/icons/linkext7.gif" height="7" width="7" align="absmiddle" alt="" border="0"/></sup></a></span>.  Subentries have existed within X.500 Directories for years with clear specifications for administering collective attributes, schema, and access controls.  With the exception of managing collective attributes LDAP has no equivalent <b>yet</b> for administering these aspects.  However with RFC 3672, LDAP is on its way towards adopting and adapting these mechanisms from X.500 Directories.  It is only a matter of time.</p>

<p>For this reason we intend to remain ahead of the curve by implementing these aspects of administration using Subentries and Administrative Areas similar to X.500 Directories.</p>

<h2><a name="1.3.TheAdministrativeModel-Whatexactlyaresubentries%3F"></a>What exactly are subentries?</h2>

<p>To explain this properly we're going to need to discuss a couple other things like administrative areas (AA) and administrative points (AP) within the directory.  However for the impatient here's a quick attempt to describe what subentries are:</p>

<p>Subentries are hidden leaf entries (which cannot have children).  These entries immediately subordinate to an administrative point (AP) within the directory.  They are used to specify administrative information for a part of the Directory Information Tree (DIT).  Subentries can contain administrative information for aspects of access control, schema administration, and collective attributes (and others which have not been defined in any specification yet).</p>

<h2><a name="1.3.TheAdministrativeModel-AdministrativeAreas%2CEntriesandPoints"></a>Administrative Areas, Entries and Points</h2>

<p>First some definitions as provided by X.501:</p>
<ul>
	<li>11.1.1 administrative area: A subtree of the DIT considered from the perspective of administration.</li>
	<li>11.1.2 administrative entry: An entry located at an administrative point.</li>
	<li>11.1.3 administrative point: The root vertex of an administrative area.</li>
	<li>11.1.5 autonomous administrative area: A subtree of the DIT whose entries are all administered by the same Administrative Authority. Autonomous administrative areas are non-overlapping.</li>
	<li>11.1.11 inner administrative area: A specific administrative area whose scope is wholly contained within the scope of another specific administrative area of the same type.</li>
	<li>11.1.17 specific administrative area: A subset (in the form of a subtree) of an autonomous administrative area defined for a particular aspect of administration: access control, subschema or entry collection administration. When defined, specific administrative areas of a particular kind partition an autonomous administrative area.</li>
	<li>11.1.18 specific administrative point: The root vertex of a specific administrative area.</li>
</ul>


<p>Now take a step back because the above definitions are, well, from a sleep inducing spec. Let's just talk about some situations.</p>

<p>Presume you're the uber directory administrator over at WallyWorld (a Walmart competitor). Let's say WallyWorld uses their corporate directory for various things including their product catalog. As the uber admin you're going to have a bunch of people wanting access, update and even administer your directory. Entire departments within WallyWorld are going to want to control different parts of the directory. Sales may want to manage the product catalog, while operations may want to manage information in other areas dealing with suppliers and store locations. Whatever the domain some department will need to manage the information as the authority.</p>

<p>Each department will probably designate different people to manage different aspects of their domain. You're not going to want to deal with their little fiefdoms instead you can delegate the administration of access control policy to a departmental contact. You will want to empower your users and administrative contacts in these departments so they can do part of the job for you. Plus it's much better than having to communicate with everyone in the company to meet their needs. This is where the delegation of authority comes into the picture.</p>

<p>Usually administrators do this already to an extent without defining administrative areas. Giving users the ability to change their own passwords for example is a form of delegation. This is generally a good idea because you don't want to set passwords for people. First because you don't want to see the password and secondly because of the management nightmare you'd have to deal with. Expand this idea out a little further and think about delegating administration not of users on their passwords but of entire subtrees in the directory to administrative contacts in various departments.</p>

<p>Do you really want to manage the corporate product catalog or just let the sales department manage it? But what do we mean by manage? You want sales people to create, and delete entries but they may only trust a few people to do this. Others may just view the catelog. Who are the people with add/remove powers and why should you have to be involved with deciding this ever changing departmental policy? Instead you can delegate the management of access controls in this area to a administrative contact in the sales department. The sales contact can then administer access controls for their department. They're closer to the people in sales than you are and they probably have more bandwidth to handle sales related needs than you do. Delegating authority in this fashion is what X.500 engineers pioneered in the early 80's with the telecom boom in Europe. They knew different authorities will want to manage different aspects of directory administration for themselves. These X.500 definitions are there to be able to talk about administrative areas within the directory. Now let's get back to what these things are exactly.</p>

<p>An administrative area is some part of the directory tree that is arbitrarily defined. The tree can be split into different administrative areas to delegate authority for managing various aspects of administration. For example you can have a partition hanging off of <b>'dc=example,dc=com'</b> with an <b>'ou=product catalog'</b> area. You may want this area to be managed by the sales department with respect to the content, schema, it's visibility, and collective attributes. Perhaps you only want to delegate only one aspect of administration , access control, since you don't want people messing around with schema. To do so you can define everything under <b>'ou=product catalog'</b> to be an administrative area specifically for access control and delegate that aspect only. In that case the entry, <b>'ou=product catalog,dc=example,dc=com'</b> becomes an administrative entry. It is also the administrative point for the area which is the tree rooted at this entry.</p>

<p>Not all administrative areas are equal. There are really two kinds : <b>autonomous</b> and <b>inner</b> areas. Autonomous areas are areas of administration that cannot overlap. Meaning someone is assigned as the supreme authority for that subtree. Inner areas are, as their name suggests, nested administrative areas within autonomous areas and other inner areas. Yes, you can nest these inner areas as deep as you like. You may be asking yourself what the point to all this is. Well, say you're the supreme admin of admins. You delegate the authority to manage access control for the corporate catalog to the sales admin. That admin may in turn decide to delegate yet another area of the catalog to another contact within a different department. You delegate access control management to the sales admin over the product catalog. The sales admin realizes that the job is way bigger than he can manage so he delegates administration of subtrees in the catalog to various contacts in different departments. For example regions of the catalog under <b>'ou=electronics' and 'ou=produce'</b> may be delegated to different contacts in their respective departments. However the sales admin still reserves the ability to override access controls in the catalog. The sales admin can change who manages access controls for different parts of the catalog. This chain of delegation is possible using inner administrative areas.</p>

<h2><a name="1.3.TheAdministrativeModel-Howareadministrativeareasdefined%3F"></a>How are administrative areas defined?</h2>

<p>Usually an entry is selected as the administrative point and marked with an operational attribute. The attributeType of the operational attribute is 'administrativeRole'. This attribute can have the following values:</p>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> OID </th>
<th class='confluenceTh'> NAME </th>
</tr>
<tr>
<td class='confluenceTd'> 2.5.23.1 </td>
<td class='confluenceTd'> autonomousArea </td>
</tr>
<tr>
<td class='confluenceTd'> 2.5.23.2 </td>
<td class='confluenceTd'> accessControlSpecificArea </td>
</tr>
<tr>
<td class='confluenceTd'> 2.5.23.3 </td>
<td class='confluenceTd'> accessControlInnerArea </td>
</tr>
<tr>
<td class='confluenceTd'> 2.5.23.4 </td>
<td class='confluenceTd'> subschemaAdminSpecificArea </td>
</tr>
<tr>
<td class='confluenceTd'> 2.5.23.5 </td>
<td class='confluenceTd'> collectiveAttributeSpecificArea </td>
</tr>
<tr>
<td class='confluenceTd'> 2.5.23.6 </td>
<td class='confluenceTd'> collectiveAttributeInnerArea </td>
</tr>
</tbody></table>
<p>As you can see, 3 aspects, <b>schema</b>, <b>collective attributes</b>, and <b>access control</b> are considered. An autonomous administrative area can hence be considered with respect to all three specific aspect of administration. If an AP is marked as an autonomousArea it generally means that administration of all aspects are allowed by the authority. If marked with a specific aspect then only that aspect of administration is delegated. The administrativeRole operational attribute is multivalued so the uber admin can delegate any number of specific administration aspects as he likes.</p>

<p>Also notice that two aspects, collective attribute and access controls, allow administrative points to be inner areas. Delegated authorities for these two aspects can create inner administrative areas to further delegate their administrative powers. The schema aspect unlike the others cannot have inner areas because of potential conflicts this may cause which would lead to data integrity issues. For this reason only the authority of an automomous area can manage schema for the entire subtree.</p>

<p>An autonomous administrative area (AAA) includes the AP and spans all descendants below the AP down to the leaf entries of the subtree with one exception. If another AAA, let's call it AAA' (prime) is present and rooted below the first AAA then the first AAA does not include the entries of AAA'. Translation: an AAA spans down until other AAAs or leaf entries are encountered within the subtree. This is due to the fact that AAAs do not overlap as do inner AAs (IAA).</p>

<h2><a name="1.3.TheAdministrativeModel-SubentriesunderanIAAoranAAA"></a>Subentries under an IAA or an AAA</h2>

<p>Subentries hold administrative information for an IAA or an AAA. These entries are of the objectClass 'subentry'. The subentry must contain two attributes: a <b>commonName</b> and a <b>subtreeSpecification</b>. The commonName (or cn) is used as the subentry's rdn attribute. The subtreeSpecification describes the collection of entries within the AA (IAA or AAA) that the administrative instruction applies to.</p>

<p>A subtree specification uses various parameters described below to define the set of entries. Note that entries need not exist for them to be included in the collection on addition.</p>

<h3><a name="1.3.TheAdministrativeModel-Baseparameter"></a>Base parameter</h3>

<p>This is the relative name of the root vertex of the subtree relative to the AP. So if the AP is <b>'ou=system'</b> and the base is <b>'ou=users'</b>, the subtree begins at <b>'ou=users,ou=system'</b>. The base can be any length of name components including 0 where it's the empty name "". In this case, the subtree begins at the AP, <b>'ou=system'</b> in the example above.</p>

<h3><a name="1.3.TheAdministrativeModel-Chopparameters"></a>Chop parameters</h3>

<p>Chop specification parameters define specific nodes to be excluded from the collection as well as how deep the subtree spans and even where it starts relative to the base.</p>

<h4><a name="1.3.TheAdministrativeModel-chopBeforeandchopAfter"></a>chopBefore and chopAfter</h4>

<p>These parameters are names relative to the root vertex of the subtree, hence they are relative to the base parameter. They specify whether or not an entry and its descendants are to be excluded from the collection.</p>

<p>When <b>chopBefore</b> is used, the entry specified is excluded from the collection. When <b>chopAfter</b> is used the entry is included however all descendants below the entry are excluded.</p>

<h4><a name="1.3.TheAdministrativeModel-minimumandmaximum"></a>minimum and maximum</h4>

<p>The minimum parameter describes the minimum number of name components (arc) between the base and the target entry required to include entries within the selection. The maximum parameter describes the maximum arc length between the base and the target allowed before entries are excluded from the collection.</p>

<h3><a name="1.3.TheAdministrativeModel-Specificationfilterparameter"></a>Specification filter parameter</h3>

<p>The specification filter is a unique beast. It's a filter like a search filter, however its syntax and expressivity is radically different. Think of a specification filter as a simplified form of search filters where all terms only test the objectClass attribute and only equality checks can be performed. Oh and yes, you do have logical operators like <b>and</b>, <b>or</b> and <b>not</b>.</p>

<p>So with a filter you have the ability to "refine" the subtree already specified with chop, and base parameters. This "refinement" makes it so the collection is not really a contiguous subtree of entries but a possibly disconnected set of selected based on the objectClass characteristics of entries. This feature of a subtreeSpecification is very powerful. For example, I can define a subtree to cover a region of an AA yet include only inetOrgPersons within this region.</p>
<table cellpadding='5' width='85%' cellspacing='8px' class='infoMacro' border="0" align='center'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td><b class="strong">Specification Filter in 1.5+</b><br />
<p>Starting with version 1.5 of ApacheDS, the specificationFilter component can be given as a regular search filter. The refinement syntax is still valid but the regular search filter is a much more powerful scheme. This new capability is beyond the RFC specification. To keep your administrative data compatible with other servers (although non supporting RFC3672 yet) you may want to use the old scheme.</p></td></tr></table>

<h3><a name="1.3.TheAdministrativeModel-SubentrytypesinApacheDS"></a>Subentry types in ApacheDS</h3>

<p>Different subentry objectClasses exist for applying different aspects of administration to the entry collection described by their subtreeSpecification attribute. By the way the subtreeSpecification attribute is single valued so there can only be one in a subentry. However you can have several subentries of various kinds under an AP. Furthermore their collections can intersect.</p>

<p>The kinds of subentries allowed though are limited by the administrativeRole of the AP. If the AP is for an access control AA then you can't add a subentry to it for schema administration. The AP must have the role for schema administration as well to allow both types of subentries.</p>

<p>ApacheDS does not manage schema using subentries in the formal X.500 sense right now. There is a single global subentry defined at <b>'cn=schema'</b> for the entire DSA. The schema is static and cannot be updated at runtime even by the administrator. Pretty rough for now but it's the only lagging subsystem. We'll of course make sure this subsystem catches up.</p>

<p>ApacheDS does however manage collective attributes using subentries. An AP that takes the administrativeRole for managing collective attributes can have subentries added. These subentries are described in greater detail here: <a href="/confluence/display/DIRxSRVx11/3.2.+Collective+Attributes" title="3.2. Collective Attributes">Collective</a>. In short, collective attributes added to subentries show up within entries included by the subtreeSpecification. Adding, removing, and modifying the values of collective attributes within the subentries instantly manifest changes in the entries selected by the subtreeSpecification. Again consult <a href="/confluence/display/DIRxSRVx11/3.2.+Collective+Attributes" title="3.2. Collective Attributes">Collective</a> for a hands on explanation of how to use this feature.</p>

<p>ApacheDS performs access control and allows delegation using subentries, AAAs, and IAAs. ApacheDS uses the Basic Access Control Scheme from X.501 to manage access control. By default this subsystem is deactivated because it locks down everything except access by the admin. More information about hands on use is available here: <a href="/confluence/display/DIRxSRVx11/2.5.+Authorization" title="2.5. Authorization">Authorization</a>. However to summarize its association with subentries, access control information (ACI) can be added to subentries under an AP for access control AAs. When one or more ACI are added in this fashion, the access rules of the ACI set apply to all entries selected by the subtreeSpecification. Even with this powerful feature individual entries can have ACI added to them for controlling access to them. Also there are things you can do with ACI added to subentries that cannot be done with entry level ACI. For example you cannot allow entry addition with entry ACI. You must use subtreeSpecifications to define where entries may be added because those entries and their parents may not exist yet.</p>

<h3><a name="1.3.TheAdministrativeModel-Howtospecifyasubentry%27ssubtreeSpecification"></a>How to specify a subentry's subtreeSpecification</h3>

<p>The best way to demonstrate subtreeSpecification values are through examples. Here's the simplest filter of them all:</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{}
</pre>
</div></div>
<p>This basically selects the entire contiguous subtree below the AP. The base is the empty name and it's rooted at the AP.</p>

<p>Next step let's add a base:</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{ base "ou=users" }
</pre>
</div></div>
<p>If this is the subtreeSpecification under the AP, <b>'ou=system'</b>, then it selects every entry under <b>'ou=users,ou=system'</b>.</p>

<p>OK that was easy so now let's slice and dice the tree now using the minimum and maximum chop parameters.</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{ minimum 3, maximum 5 }
</pre>
</div></div>
<p>This selects all entries below <b>'ou=system'</b> which have a DN size equal to 3 name components, but no more than 5. So for example <b>'uid=jdoe,ou=users,ou=system'</b> would be included but <b>'uid=jack,ou=do,ou=not,ou=select,ou=users,ou=system'</b> would not be included. Let's continue and combine the base with just a minimum parameter:</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{ base "ou=users", minimum 4 }
</pre>
</div></div>
<p>Here the subtree starts at <b>'ou=users,ou=system'</b> if the subentry subordinates to the AP at <b>'ou=system'</b>. The user <b>'uid=jdoe,ou=deepenough,ou=users,ou=system'</b> is selected by the spec where as <b>'uid=jbean,ou=users,ou=system'</b> is not.</p>

<p>It's time to add some chop exclusions:</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{
  base "ou=users",
  minimum 4,
  specificExclusions { chopBefore: "ou=untrusted" }
}
</pre>
</div></div>
<p>Again if placed at the AP <b>'ou=system'</b> this subtree would begin at <b>'ou=users,ou=system'</b>. It would not include users that subordinate to it though because of the minimum constraint since these users would have 3 components in their DN. The specific exclusions prevent <b>'ou=untrusted,ou=users,ou=system'</b> and all its descendants from being included in the collection. However <b>'uid=jbean,ou=trusted,ou=users,ou=system'</b> would be included since it meets the minimum requirement, is a descendant of <b>'ou=users,ou=system'</b> and is not under the excluded DN, <b>'ou=untrusted,ou=users,ou=system'</b>.</p>

<p>Note that you can add as many exclusions as you like by comma delimiting them. For example:</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{
  base "ou=users",
  minimum 4,
  specificExclusions { chopBefore: "ou=untrusted", chopAfter: "ou=ugly", chopBefore: "ou=bad" }
}
</pre>
</div></div>
<p>The final example includes a refinement. Again any combination of chop, filter and base parameters can be used. The following refinement makes sure the users selected are of the objectClass inetOrgPerson and specialUser where the OID for the specialUser class is 32.5.2.1 (fictitious).</p>
<div class="preformatted"><div class="preformattedContent">
<pre>{
  base "ou=users",
  minimum 4,
  specificExclusions { chopBefore: "ou=untrusted", chopAfter: "ou=ugly", chopBefore: "ou=bad" }
  specificationFilter and:{ item:32.5.2.1, item:inetOrgPerson }
}
</pre>
</div></div>
<p>If you'd like to see the whole specification of the grammar used for the subtreeSpecification take a look at Appendix A in <span class="nobr"><a href="http://www.faqs.org/rfcs/rfc3672.html" title="Visit page outside Confluence" rel="nofollow">RFC 3672<sup><img class="rendericon" src="/confluence/images/icons/linkext7.gif" height="7" width="7" align="absmiddle" alt="" border="0"/></sup></a></span>.</p>

<h2><a name="1.3.TheAdministrativeModel-FuturePossibilities"></a>Future Possibilities</h2>

<p>In the immediate future we intend to introduce <a href="/confluence/display/DIRxSRVx11/8.2.+LDAP+Triggers" title="8.2. LDAP Triggers">Triggers</a>, stored procedures and views into ApacheDS. Subentries will play a critical role in the administration and application of these features. For example a Trigger specification need not include information on what entries it applies to since the subtreeSpecification handles this. The question of "on what" a trigger applies to is nicely disassociated from the "which operation" part of the specification. This makes for much better reuse of triggers. It also allows for the pin point application of triggers to entries in the DIT. Likewise a view itself will be defined by a specification. A view for example in a subentry can define a region of the tree that does not exist but is shadowed from another region all together. The possibilities here are limitless.</p>

<p>Of course we will revamp the schema subsystem of ApacheDS to use subentries in AAA to manage the schema in effect within different regions of the DIT. Today most LDAP servers just have a global scheme in effect for the entire DIT served by a DSA. We don't think that is reasonable at all. So expect some serious advances in the design of a new schema subsystem based on subentries.</p>

<p>Replication is yet another excellent candidate for using subentries. Replication of specific collections of entries can be managed for each cluster rather than replicating the entire DIT served by a DSA to replicas. This way we don't only control what is replicated but we can also control how and where it is replicated.</p>

<h2><a name="1.3.TheAdministrativeModel-Conclusions"></a>Conclusions</h2>

<p>ApacheDS has implemented subentries for the administration of various aspects of the directory and gains several powerful features as a result: namely precision application of control to entry collections and the ability to delegate administrative authority. For details on the administration of each aspect using subentries (<span class="nobr"><a href="/confluence/pages/createpage.action?spaceKey=DIRxSRVx11&amp;title=Collective&amp;linkCreation=true&amp;fromPageId=55219" title="Create Page: Collective" class="createlink">Collective<sup><img class="rendericon" src="/confluence/images/icons/plus.gif" height="7" width="7" align="absmiddle" alt="" border="0"/></sup></a></span> and <a href="/confluence/display/DIRxSRVx11/2.5.+Authorization" title="2.5. Authorization">2.5. Authorization</a>) please see the respective documentation.</p>

<p>As ApacheDS progresses it will gain an immense advantage from subentries. Both for existing LDAP features like scheme and for new experimental features like triggers, and replication.</p></div>


</td></tr></table></div>
<p>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
    <tr>
        <td height="12" background="http://cwiki.apache.org/confluence/images/border/border_bottom.gif"><img src="http://cwiki.apache.org/confluence/images/border/spacer.gif" width="1" height="1" border="0"/></td>
    </tr>
</table>

<div class="smalltext">
    Powered by
    <a href="http://www.atlassian.com/software/confluence/default.jsp?clicked=footer" class="smalltext">Atlassian Confluence</a>
    (Version: 2.2.9 Build:#527 Sep 07, 2006)
    -
    <a href="http://jira.atlassian.com/secure/BrowseProject.jspa?id=10470" class="smalltext">Bug/feature request</a><br/>
    <br>
    <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action">Unsubscribe or edit your notifications preferences</a>

</div>

</body>
</html>


Mime
View raw message