Novell Directory Services Q & A
Articles and Tips: article
01 Aug 1996
Novell Directory Services Q & A
QHow do I set up users so they can only change passwords without giving them full administrative authority?
A In the June issue of Developer Pointers it was stated that this feature was not currently available. However it is possible if you develop a client/server application as follows.
Write an NLM that, on loading, will authenticate as an admin equivalent using a password entered from the system console. The NLM will now wait for special NCP extension requests from a client program.
The client program will be used by the pseudo administrator. On execution the program will ask the administrator to authenticate using their normal password. The password is verified using NWDSVerifyObjectPassword. The program will then ask for the user name and new password for the user. A request containing the user name only is sent to the NLM.
The NLM upon receiving the request will verify that the source connection is being used by a pseudo administrator and that the user object can be administered by the administrator. The NLM can then use NWDSChangeObjectPassword to reset the password.
Finally, upon receipt of a successful NCP reply, the client program can change the password using the same API that the NLM used. The reason why the client should do this is to avoid sending unencrypted passwords across the network.
QHow many menu items should a NWAdmin extension add to the Tools menu?
A As few as possible. Remember that your extension will not be the only product adding items to NWAdmin. By installing a popup menu it is possible to restrict the number of items you need directly under the Tools menu to a single line.
To install a popup menu use the constant MF_POPUP rather than MF_STRING when calling NWARegisterMenu. For example:
NWARegisterMenu( NWA_VIEW_CONSOLE, 0, NULL, MF_POPUP, & popupMenuID,& popupMenuName, popupMenuHint, NULL, popupValidProc, version)
Note that a popup menu does not require an action callback since this will be handled by Windows. With the popup menu defined, it is now possible to add items to that popup menu.
NWARegisterMenu( NWA_VIEW_CONSOLE, popupMenuID, popupMenuName, MF_STRING, & childMenuID,& childMenuName, childMenuHint, childActionProc, childValueProc, version)
The child menu item is linked to the popup menu item by giving the popup menu handle and name as the parent menu. These parameters are normally set to zero when adding an item to the Tools menu.
QShould I be worried about the amount of disk space the NDS uses?
A Normally no, however certain schema extensions might use considerable disk space.
The NDS files are stored in a hidden directory on the SYS volume. This normally consists of two files to record replica and object information and two files for object values. In addition to these files are license files and files associated with SYN_STREAM values. The most common example of stream values are login scripts. Every login script associated with a user, container or profile is stored as a separate file in the NDS directory.
Under normal circumstances the total size of the NDS directory will only reach a few tens of megabytes. Certain schema extensions though can easily double or triple this value if they use the NDS to record large data files such as graphic images. These images are recorded as stream values in the NDS directory, and hence do not appear in a directory listing. Naturally, administrators have to be aware that the NDS cannot magically record information without using disk space.
QAre streams values automatically removed from the NDS when the object is deleted?
A Yes. There is also an option on DSRepair to check all stream values and remove unwanted ones.
QAre schema extensions reversible?
A Not all schema extensions are reversible. Once an attribute has been added to a class, it is not possible to remove the attribute definition while the class definition exists. Hence if an attribute is added to a standard class, such as User, the attribute cannot be removed since standard classes are non removable.
The moral of this story is not to experiment with schema extensions on a corporate tree.
QSo should developers add new attributes to standard classes, such as User, or should they derive a new class based on a standard class?
A Adding new attributes to standard classes is perfectly acceptable as long as it is understood that the action is non reversible.
Deriving a new class based on a standard class will not achieve the same result as appending to a standard class since applications may not recognise the new class as being derived from the base class. For example, suppose Acme Corp extended the schema by creating an attribute called Acme Server. The new attribute could either be added to the User class or a new class called Acme User be derived from User with the Acme Server attribute. The former extension is non reversible, the latter extension is reversible. Unfortunately, applications will not recognise Acme User objects as User objects, and hence will not let Acme User objects be treated as such.
QIn the above example, would NWAdmin allow you to administer Acme User objects as standard User objects?
A No. NWAdmin works on the principle class name obtained by NWDSList. In this case Acme Corp should release a NWAdmin Snapin module so that NWAdmin can be used to administer this class.
QIn the above example is it possible to search for User objects and still detect Acme User objects?
A Yes. The Class Name attribute is multi valued and contains all the class type names an object has including the base class Top. Hence an application can create a search filter to find all objects of a specific class.
QHow do you use APIs that require a Bindery object ID when using NDS names?
A All the APIs that require Bindery object IDs are server based functions such as NWAddTrustee. Since these functions are server based they require a connection handle to the server. This is normally obtained using the NWCCOpenConnBy functions. Once a connection handle to the server has been obtained it is possible to use the function NWDSMapNameToID to get a server based object ID for an NDS object. The object ID is a four byte number that is used by the NDS to locate the object in the server's copy of the NDS files. Object IDs are valid only for that server and while the object exists on the server. If the object is deleted and recreated then there is a high chance the object ID will change.
QIf a server does not have a copy of a partition, is it still possible to use NWDSMapNameToID to get the ID of an object in that partition?
A Yes. The NDS will create an external reference for that object on the server. The external reference is used as a place holder for the object and contains an attribute which points to the real copies of that object. Likewise, the real copies of the object have a back link attribute pointing to all external references to that object. In this way the external references can be modified or removed if the real object is renamed or deleted.
The NDS periodically checks all external references to make sure they are still required. For example, if a file trustee was assigned to an external object and later removed, the external reference for that object would be removed in due course.
-Contributed by John Buckle
Copyright 1996 by Novell, Inc. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the express written permission of Novell.
All product names mentioned are trademarks of their respective companies or distributors.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.