5.4. About Managed Entries
Some clients and integration with Red Hat Directory Server require dual entries. For example, Posix systems typically have a group for each user. The Directory Server's Managed Entries Plug-in creates a new managed entry, with accurate and specific values for attributes, automatically whenever an appropriate origin entry is created.
The basic idea is that there are situations when Entry A is created and there should automatically be an Entry B with related attribute values. For example, when a Posix user (
posixAccount entry) is created, a corresponding group entry (posixGroup entry) should also be created. An instance of the Managed Entries Plug-in identifies what entry (the origin entry) triggers the plug-in to automatically generate a new entry (the managed entry). It also identifies a separate template entry which defines the managed entry configuration.
The instance of the Managed Entries Plug-in defines three things:
- The search criteria to identify the origin entries (using a search scope and a search filter)
- The subtree under which to create the managed entries (the new entry location)
- The template entry to use for the managed entries
Figure 5.4. Defining Managed Entries
For example:
dn: cn=Posix User-Group,cn=Managed Entries,cn=plugins,cn=config objectclass: extensibleObject cn: Posix User-Group originScope: ou=people,dc=example,dc=com originFilter: objectclass=posixAccount managedBase: ou=groups,dc=example,dc=com managedTemplate: cn=Posix User-Group Template,ou=Templates,dc=example,dc=com
The origin entry does not have to have any special configuration or settings to create a managed entry; it simply has to be created within the scope of the plug-in and match the given search filter.
5.4.1. Defining the Template for Managed Entries
The template entry lays out the entire configuration of the managed entry, using static attributes (ones with pre-defined values) and mapped attributes (mapped attributes that pull their values from the origin entry).
dn: cn=Posix User-Group Template,ou=Templates,dc=example,dc=com objectclass: mepTemplateEntry cn: Posix User-Group Template mepRDNAttr: cn mepStaticAttr: objectclass: posixGroup mepMappedAttr: cn: $uid Group mepMappedAttr: gidNumber: $gidNumber mepMappedAttr: memberUid: $uid
The mapped attributes in the template use tokens, prepended by a dollar sign ($), to pull in values from the origin entry and use it in the managed entry.
Figure 5.5. Managed Entries, Templates, and Origin Entries
Note
Make sure that the values given for static and mapped attributes comply with the required attribute syntax.
5.4.2. Entry Attributes Written by the Managed Entries Plug-in
Both the origin entry and the managed entry have special managed entries attributes which indicate that they are being managed by an instance of the Managed Entries Plug-in. For the origin entry, the plug-in adds links to associated managed entries.
dn: uid=jsmith,ou=people,dc=example,dc=com objectclass: mepOriginEntry objectclass: posixAccount ... sn: Smith mail: jsmith@example.com mepManagedEntry: cn=jsmith Posix Group,ou=groups,dc=example,dc=com
On the managed entry, the plug-in adds attributes that point back to the origin entry, in addition to the attributes defined in the template.
dn: cn=jsmith Posix Group,ou=groups,dc=example,dc=com objectclass: mepManagedEntry objectclass: posixGroup ... mepManagedBy: uid=jsmith,ou=people,dc=example,dc=com
Using special attributes to indicate managed and origin entries makes it easy to identify the related entries and to assess the changes made by the Managed Entries Plug-in.
5.4.3. Managed Entries Plug-in and Directory Server Operations
The Managed Entries Plug-in has some impact on how the Directory Server carries out common operations, like add and delete operations:
- Add. With every add operation, the server checks to see if the new entry is within the scope of any Managed Entries Plug-in instance. If it meets the criteria for an origin entry, then a managed entry is created and managed entry-related attributes are added to both the origin and managed entry.
- Modify. If an origin entry is modified, it triggers the plug-in to update the managed entry.Changing a template entry, however, does not update the managed entry automatically. Any changes to the template entry are not reflected in the managed entry until after the next time the origin entry is modified.The mapped managed attributes within a managed entry cannot be modified manually, only by the Managed Entry Plug-in. Other attributes in the managed entry (including static attributes added by the Managed Entry Plug-in) can be modified manually.
- Delete. If an origin entry is deleted, then the Managed Entries Plug-in will also delete any managed entry associated with that entry.There are some limits on what entries can be deleted.
- A template entry cannot be deleted if it is currently referenced by a plug-in instance definition.
- A managed entry cannot be deleted except by the Managed Entries Plug-in.
- Rename. If an origin entry is renamed, then plug-in updates the corresponding managed entry. If the entry is moved out of the plug-in scope, then the managed entry is deleted, while if an entry is moved into the plug-in scope, it is treated like an add operation and a new managed entry is created.As with delete operations, there are limits on what entries can be renamed or moved.
- A configuration definition entry cannot be moved out of the Managed Entries Plug-in container entry. If the entry is removed, that plug-in instance is inactivated.
- If an entry is moved into the Managed Entries Plug-in container entry, then it is validated and treated as an active configuration definition.
- A template entry cannot be renamed or moved if it is currently referenced by a plug-in instance definition.
- A managed entry cannot be renamed or moved except by the Managed Entries Plug-in.
- Replication. The Managed Entries Plug-in operations are not initiated by replication updates. If an add or modify operation for an entry in the plug-in scope is replicated to another replica, that operation does not trigger the Managed Entries Plug-in instance on the replica to create or update an entry. The only way for updates for managed entries to be replicated is to replicate the final managed entry over to the replica.
