Professional Documents
Culture Documents
INTERWORK DESCRIPTION
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use
of this document.
Trademark List
All trademarks mentioned herein are the property of their respective owners.
These are shown in the document Trademark Information.
Contents
1 Introduction 1
1.1 Related Information 1
2 LDAP Overview 2
2.1 LDAP v3 Supported Features 3
2.2 Limitations 3
Reference List 45
1 Introduction
This document explains the LDAP interface for use with AVG in Monolithic
configuration. It describes object creation, modification, retrieval, and deletion;
as well as object attributes and their internal database hierarchy for LDAP. The
AVG Front-End (FE) configuration is outside the scope of this document. For
information on AVG FE, refer to LDAP Interface Description for Accessing
External Database in HSS-FE.
It is intended to be used as reference for AVG operators that have to use the
LDAP v3 protocol (refer to Lightweight Directory Access Protocol (v3) (RFC
2251)) for AVG data management purposes.
• Trademark Information
• Typographic Conventions
2 LDAP Overview
AVG has an LDAP server for configuration, provisioning, and security data
management.
This interface handles the creation, retrieval, update, and deletion (CRUD)
of AVG data.
The LDAP uses the OpenLDAP LDAP server front-end, augmented with the
necessary functionality to communicate with the Database where AVG data are
stored. For more information, refer to www.openldap.org.
The LDAP clients use the LDAP interface to allow the operator to manage AVG
data. There can be several types of LDAP clients:
• Command-line clients
• Published schema with object classes and attribute types supported by the
server.
2.2 Limitations
In HSS Monolithic configuration, during provisioning procedure a delay occurs
between LDAP success response and changes becoming accessible. This
ensues as a result of JIM using asynchronous commit to DBN and necessity
to update POT redundancy replica. Time imperative for update to take place
depends on network characteristics, but is estimated not to exceed 500 ms for
normal scenarios. During this period messages attempting to access recently
modified POTs are answered with Unable to comply as a result of database
inconsistency.
ldapsearch tool returns the objects in the directory that match the search
request, with the specified attributes (if any).
ldapadd -H "ldaps://IP_ADDRESS:TLS_LDAP_PORT/" \
-D "administratorName=HSS-AvgProvisioningAdministrator,\
nodeName=jambala" \
-w "Wanda123" -Z -f file\
-P 3
• -Z forces the tool to use the TLS protocol for secure communications.
• -f specifies a file that defines one or more directory entries to add. The
entries are separated by blank lines, and each entry consists of a DN,
followed by zero or more attribute values. Example:
dn=HSS-AvgImpi=user@realm.com,\
HSS-AvgIsimUserContainerName=\
HSS-AvgIsimUserContainer,\
HSS-AvgProvisioningContainerName=\
HSS-AvgProvisioningContainer,\
applicationName=HSS_AVG,nodeName=jambala
objectClass:HSS-AvgIsimUser
HSS-AvgEncryptedK:24AAAFFF8787695BCCF4376BBFFC3892
HSS-AvgA4KeyInd:3
HSS-AvgFSetInd:3
HSS-AvgAmf:1001
Apart from this format, the LDIF (LDAP Data Interchange Format) format
can be also used. For a proper description of the format accepted, consult
Slapd manual (refer to www.openldap.org). For an 'add' operation, it looks
like:
dn=HSS-AvgImpi=user@realm.com,\
HSS-AvgIsimUserContainerName=\
HSS-AvgIsimUserContainer,\
HSS-AvgProvisioningContainerName=\
HSS-AvgProvisioningContainer,\
applicationName=HSS_AVG,nodeName=jambala
objectClass:HSS-AvgIsimUser
HSS-AvgEncryptedK:42AAAFFF8787695BCCF4376BBFFC3892
HSS-AvgA4KeyInd:3
HSS-AvgFSetInd:3
HSS-AvgAmf:1000
ldapmodify -H "ldaps://IP_ADDRESS:LDAP_PORT/" \
-D "administratorName=HSS-AvgProvisioningAdministrator,\
nodeName=jambala" \
-x -c -r \
-w "Wanda123" -f file\
-P 3
The -H, -D, -w, -P, and -f flags are described for ldapadd. In addition:
ldapdelete -H "ldaps://IP_ADDRESS:LDAP_PORT/" \
-D "administratorName=HSS-AvgProvisioningAdministrator,\
nodeName=jambala" \
-w "Wanda123" -x -f file\
-P 3
ldapsearch -H "ldaps://IP_ADDRESS:LDAP_PORT/" \
-D "administratorName=HSS-AvgProvisioningAdministrator,\
nodeName=jambala" \
-w "Wanda123" \
-b "applicationName=HSS_AVG, nodename=jambala" \
-s sub \
-x \
-P 3
The -H, -D, -x, -P, and -w flags are as described for ldapadd. In addition:
• -b specifies the DN of the base object for the search (the root of the
subtree to search)
• -s specifies the scope. Valid scopes are "base", "one" and "sub", for "base
object only", "first-level children" and "entire subtree".
The first non-flag argument is the filter (required). Complex filters are allowed,
for example: "(HSS-AvgImpi=*)" is used to retrieve all the user impi values.
For objects with multi-valued attributes, if any value matches the filter criteria
then the object is returned.
All the attributes related to those objects are listed in Section 5 on page 9.
All the attributes related to those objects are listed in Section 5 on page 9.
All the attributes related to those objects are listed in Section 5 on page 9.
5.1.1 Introduction
The tables in the following chapters specify all AVG object classes and their
attributes.
As shown in Section 4 on page 6, the LDAP hierarchy has a tree pattern. This
tree is called the Directory Information Tree (DIT) and it is composed of entries
that have one or more key attributes. Those attributes names and its value
form the Relative Distinguish Name (RDN) of an object. The concatenation of
the RDNs of the sequence of entries from a particular object to the root entry
of the tree forms the Distinguish Name (DN). This DN uniquely identifies an
object inside the tree. For example, the DN of an HSS-AvgIsimUser object
(see Page 7) is:
HSS-AvgImpi=user@realm.com,
HSS-AvgIsimUserContainerName=HSS-AvgIsimUserContainer,
HSS-AvgProvisioningContainerName=HSS-AvgProvisioningContainer,
applicationName=HSS_AVG,nodeName=jambala
The format of the tables (that appears from ) has a header and three different
columns with the following information:
5.1.2 Conventions
The following data types in the Ericsson AVG Server Managed Object LDAP
hierarchy have special conventions:
Types
“ldap://” [hostport]
• Restricted SIP URI: The restricted SIP URI has the format
sip:userinfo host. userinfo follows the format:userinfo =
( user / telephone-subscriber ) "@" where the user or
telephone-subscriber category includes one or more of the following
characters:
mark - _ . ! ~ * ' ( )
ALPHA a b c d e f g h i j
k l m n o p q r s t
u v w x y z
A B C D E F G H I J
K L M N O P Q R S T
U V W X Y Z
DIGIT 0 1 2 3 4 5 6 7 8 9
user-u
nreser & = + $ , ; ? /
ved
An example of valid restricted SIP URI is sip:user1@ericsson.
com. For more information, refer to SIP: Session Initiation Protocol (RFC
3261).
General Conventions
• All attribute values are printable ASCII.
• — indicates no value. In this case, the attribute is not shown when a search
LDAP operation is made on it.
• The objects created automatically at installation time does not have the
"Required" field since it is not possible to create them later on.
Parameter Categories
The parameters are divided into four categories; Internal Parameters, Solution
Integration Parameters, Site Specific Parameters, and Operator Configurable
Parameters. The different categories are, as follows:
• Integer attributes have unsigned integer 8 bit (uint8), 16 bit (uint16), and
32 bit (uint32) values.
The owner, group, and permissions attributes are similar to the corresponding
attributes of a Unix file system.
Common errors are provided by the platform and also specific errors are
provided by AVG. The specific errors are collected as OAM logging events in
AVG Logging Events. For information about common errors, refer to LDAP
Interface Description.
The HSS-Avg A4Keys Container object is used to contain all the objects related
to different A4keys.
Before deleting an HSS-AvgA4Key object class, verify that there are no users
in HSS-Avg still using it.
Constraints
Constraints
Constraints
Note: The values supported for HSS-AvgFsetName are Test and Milenage.
Any other value depends on commercial agreements.
The HSS External Database Configuration object is used to store the necessary
information for accessing the external database using LDAP protocol as
specified in LDAP Interface Description for Accessing External Database in
HSS-FE.
The visibility of this object depends on the HSS type of configuration defined in
HSS-AvgInstallationType attribute, see Page 27. This object only applies
to HSS FE configuration.
4:dc=impu,ou=identities,root
DN
Object Classes and Attributes
The Administrators have access to ISM, and perform operations with the data.
Each Administrator has a name and password, and is a member of one or more
Access Groups. Before a client can issue any request to read, write, create,
or delete objects, it must be authenticated by providing an administrator DN
and a password.
The Access Group defines the capabilities of its members, specifically whether
they are permitted to create Administrator, Access Group, and Organization
entries. When an entry is created, it has several attributes that indicate which
administrator can read, update (write attribute values), or manage (create or
delete) that object class. These attributes are:
• ownerId
The administrator with full permissions to read, update, and manage that
object.
• groupId
• shareTree
• permissions
For AVG application, the following considerations related to the attributes are
applicable:
• ownerId
0 HSS-AvgApplication, HSS-AvgConfigurationContainer,
and HSS-AvgLicense object classes, owned by the Ericsson
Administrator, and set as read-only for other administrators
0 HSS-AvgProvisioningContainer, HSS-AvgIsimUserContaine
r, and HSS-AvgUsimUserContainer object classes, owned by the
HSS-AvgProvisioningAdministrator
• groupId
0 HSS-AvgProvisioningContainer, HSS-AvgIsimUserContain
er, and HSS-AvgUsimUserContainer object classes, which have
the groupId HSS-AvgProvisioningGroup
• shareTree
• permissions
Before a client can issue any request to retrieve, update, create, or delete
objects, authentication using an administrator DN and a password is required.
Administrators are defined as HSS-AvgAdministrators. Each administrator is
associated with at least one access group. Access Groups are defined as
HSS-AvgAccessGroups.
Reference List
HSS Documents
Standards
Online References
[16] www.openldap.org