The DN Join Virtual Attribute provides a join virtual attribute provider implementation in which related entries will be identified by DN in the value of a specified attribute in the source entry.
For example, if a value of "manager" is provided for the join-dn-attribute property, then values of the virtual attribute will be JSON objects that provide information about any entries whose DNs are listed in the "manager" attribute of the entry that contains the virtual attribute.
The DN Join Virtual Attribute component inherits from the Join Virtual Attribute
The properties supported by this managed object are as follows:
Description | A description for this Virtual Attribute |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether the Virtual Attribute is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute. |
Default Value | None |
Allowed Values | The name or OID of an attribute type defined in the server schema. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute. If no values are given, then the server generates virtual attributes anywhere in the server. |
Default Value | The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute. |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the DNs of the groups whose members can be eligible to use this virtual attribute. If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute. |
Default Value | Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute. |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries. If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute. |
Default Value | None |
Allowed Values | Any valid search filter string. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies a set of client connection policies for which this Virtual Attribute should be generated. If this is undefined, then this Virtual Attribute will always be generated. If it is associated with one or more client connection policies, then this Virtual Attribute will be generated only for operations requested by clients assigned to one of those client connection policies. |
Default Value | None |
Allowed Values | The DN of any Client Connection Policy. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute. |
Default Value | real-overrides-virtual |
Allowed Values | real-overrides-virtual - Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated. virtual-overrides-real - Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them. merge-real-and-virtual - Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies how server should determine the base DN for the internal searches used to identify joined entries. |
Default Value | None |
Allowed Values | use-search-base-dn - Indicates that the base DN for the associated search request should also be used as the base DN for the searches to identify joined entries. use-source-entry-dn - Indicates that the DN of the entry in which the virtual attribute appears should be used as the base DN for the searches to identify joined entries. use-custom-base-dn - Indicates that the server should use the value of the join-custom-base-dn property as the fixed base DN for the searches to identify joined entries. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The fixed, administrator-specified base DN for the internal searches used to identify joined entries. This will only be used if the join-base-dn-type property has a value of use-custom-base-dn. If no value is specified, then the empty base DN will be used, indicating that the search should be processed beneath all public naming contexts. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The scope for searches used to identify joined entries. |
Default Value | whole-subtree |
Allowed Values | base-object - Only examine the entry identified by the join base DN. single-level - Only examine entries that are immediate children of the entry identified by the join base DN. This does not include the join base entry itself, nor does it include entries below the immediate children of the join base entry. whole-subtree - Examine the entry identified by the join base DN and all of its subordinates, to any depth. subordinate-subtree - Examine all subordinates of the entry identified by the join base DN, to any depth, but exclude the join base entry itself. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The maximum number of entries that may be joined with the source entry, which also corresponds to the maximum number of values that the virtual attribute provider will generate for an entry. If searches to identify entries that should be joined with a search result entry would match more entries than the join-size-limit value, then the virtual attribute will not be generated for that entry. |
Default Value | 100 |
Allowed Values | An integer value. Lower limit is 1. Upper limit is 1000 . |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | An optional filter that specifies additional criteria for identifying joined entries. If a join-filter value is specified, then only entries matching that filter (in addition to satisfying the other join criteria) will be joined with the search result entry. |
Default Value | None |
Allowed Values | A valid LDAP search filter |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | An optional set of the names of the attributes to include with joined entries. This may include any special tokens that are supported for use in the set of requested attributes for a search operation, including "*" to indicate all user attributes, "+" to indicate all operational attributes, and "@objectClassName" to indicate that all attributes associated with the specified object class should be included. If no join-attributes values are specified, the default behavior will be to include all user attributes from joined entries. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The attribute whose values are the DNs of the entries to be joined with the search result entry. This attribute type must be defined in the server schema, and it must have either a DN syntax or a name and optional UID syntax. |
Default Value | None |
Allowed Values | The name or OID of an attribute type defined in the server schema. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
require-explicit-request-by-name (Advanced Property)
Description | Indicates whether attributes of this type must be explicitly included by name in the list of requested attributes. Note that this will only apply to virtual attributes which are associated with an attribute type that is operational. It will be ignored for virtual attributes associated with a non-operational attribute type. If this is true and the associated attribute type is operational, then virtual attributes of this type will only be returned in a search result entry if the attribute type was specifically included in the list of requested attributes but will not be returned if the client only requested "+" (to indicate all operational attributes) but did not explicitly mention this attribute. This should generally only be set to "true" for virtual attributes which may be expensive to construct and for which it is known that the attribute will always be explicitly requested by the client when it is needed. |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
multiple-virtual-attribute-evaluation-order-index (Advanced Property)
Description | Specifies the order in which virtual attribute definitions for the same attribute type will be evaluated when generating values for an entry. Evaluation will occur in ascending order, so a virtual attribute definition with an evaluation order index of one will be evaluated before a definition with an evaluation order index of two. Virtual attribute definitions with no evaluation order index will be evaluated after those which do have a defined order. It is not necessary for evaluation order index values to be in consecutive order, and there may be gaps between values. It is also acceptable for multiple virtual attribute definitions for the same attribute to have the same evaluation order index value. In that case, definitions with the same evaluation order index for the same attribute type will be evaluated in case-insensitive lexicographic order based on the name of the config definition. For virtual attribute definitions pertaining to single-valued attributes, only the first applicable virtual attribute definition will be applied to the entry. For multi-valued attributes, it is possible for multiple virtual attribute definitions to be merged or to only use the first definition encountered, based on the value of the multiple-virtual-attribute-merge-behavior configuration property. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 1. Upper limit is 2147483647 . |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
multiple-virtual-attribute-merge-behavior (Advanced Property)
Description | Specifies the behavior that will be exhibited for cases in which multiple virtual attribute definitions apply to the same multivalued attribute type. This will be ignored for single-valued attribute types. Although it is possible that multiple virtual attribute definitions exist for the same attribute type with different multiple-virtual-attribute-merge-behavior values, only the merge behavior specified in the first definition evaluated for an attribute type will be used for all subsequent definitions for that attribute. Similarly, the conflict behavior specified for the first definition evaluated for an attribute type will be used for all subsequent definitions for that attribute. |
Default Value | use-all-definitions |
Allowed Values | use-first-definition - Only the first applicable virtual attribute definition should be applied to the entry, even if there are other definitions with the same evaluation order index. See the documentation for the multiple-virtual-attribute-evaluation-order-index property for more information on the order in which virtual attribute definitions are evaluated. use-only-definitions-with-the-lowest-evaluation-order-index - Only virtual attribute definitions with the same evaluation order index as the first applicable definition evaluated should be applied to the entry. Multiple definitions with the same evaluation order index may be applied to the entry, but only if that evaluation order index is the lowest of all applicable virtual attribute definitions for that attribute type. use-all-definitions - All applicable virtual attribute definitions should be applied to the entry, regardless of the evaluation order index values for those definitions. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
allow-index-conflicts (Advanced Property)
Description | Indicates whether the server should allow creating or altering this virtual attribute definition even if it conflicts with one or more indexes defined in the server. In general, virtual attributes should not be used to generate values for indexed attributes. Any search targeting an indexed attribute will only return entries with real values matching the filter and will not return entries with matching virtual values. It is recommended that you only permit the use of virtual attributes for indexed attribute types if you are certain that the conflict will not be significant (e.g., if you are certain that indexed searches will only target real values, or if you are certain that virtual values will only be generated for non-indexed backends). |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Virtual Attributes:
dsconfig list-virtual-attributes [--property {propertyName}] ...
To view the configuration for an existing Virtual Attribute:
dsconfig get-virtual-attribute-prop --name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Virtual Attribute:
dsconfig set-virtual-attribute-prop --name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new DN Join Virtual Attribute:
dsconfig create-virtual-attribute --name {name} --type dn --set enabled:{propertyValue} --set attribute-type:{propertyValue} --set join-base-dn-type:{propertyValue} --set join-dn-attribute:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Virtual Attribute:
dsconfig delete-virtual-attribute --name {name}