Announcement Announcement Module
No announcement yet.
search trouble :To which roles does this entry belong? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • search trouble :To which roles does this entry belong?


    I would like to write a function such as "isUserInRole(roleName)". So my questions is "How can I find roles (cn attribute) to which a entry belongs to"?

    I tried to read the nsroledn attribute of my entry (an user) but the contextMapper of the method didn't returns this attribute...

    Can someone help me please?

  • #2
    I've never done this myself (seems to be an iPlanet proprietary thingy), but it seems that the nsroledn attribute is aliased (indicated on this page), so that all roles of the Person entry are accessable through the 'nsrole' attribute.

    So try accessing the 'nsrole' attribute instead.


    • #3
      Yes you're right, I'm using managed roles from the IPlanet LDAP as described in at section Deciding Between Groups and Roles :
      If your client needs to find all the membership information about a particular entry, use roles. The server performs all computations, and the client only needs to read the values of the nsRole attribute. In addition, all types of roles appear in this attribute, allowing the client to process all roles uniformly.
      Of course I tried to read the nsRole attribute but it also wasn't specify in the contextMapper.

      One other thing which disturbe me : the attributeMapper is not returning all the attributes of my IPlanet's entries (not only the nsRole which I'm looking for). I tried to display all attributes the ldapTemplate found. Here is my mapFromAttributes methods of the AttributesMapper parameter of the method:
      public Object mapFromAttributes(Attributes attrs) throws NamingException {
         NamingEnumeration ne = attrs.getAll();
         while (ne.hasMore()) {
            Attribute a = (Attribute);
         return "";
      and the results for a regular IPlanet user entry (objectclass= top, person, organizationPerson, inetorgperson) was :
      But at least severals others attributes are provided in my IPlanet ldap directory such as createtimestamp, entrydn, entryid, givenname, nsrole, etc..

      I'm not a Ldap expert but I'm asking myself : Is ldapTemplate reading only "normalised" attributes (common for all ldap servers) or not? If yes, is it possible to read them anyway?


      • #4
        It's quite possible that some of the Attributes aren't returned by default, even though they are physically there. Operational Attributes, such as CreateTimestamp aren't returned by default, you'll need to explicitly ask for it. For that purpose you can use one of the search methods that takes the Attribute names to return as an argument, e.g.
        search(Name base, java.lang.String filter, int searchScope, String[] attrs, AttributesMapper mapper)

        Note that when using this method no other Attributes than the ones you ask for are returned, i.e. you'll need to ask for all the Attributes that you're interested in.


        • #5
          thank you for your answer. . I missed this method in the api. Can you explain me the searchScope attribute? I tried with 1 and it works but I would like to know what for is it?



          • #6
            Ok. I found. it's explained here for the searchScope parameter: