We Keep Coding

Private and shared address book with LDAP?

For a set of users belonging to some organisation, I want to provide the following:
each user should have a private address book
each user should have access to a company address book
I wonder how to model this scenario in LDAP so that:
user connects to LDAP server with some client
user performs a search for some string
all matching entries from the global address book are returned
all matching entries from the user's private address book are returned
Is searching the global and private address book possible with a single query? I guess the user would provide his path in LDAP as DN, but the global address book would be located at a different DN. I imagine something like that:
/
/OU=private-address-books
/CN=user1
/CN=entry1
...
/OU=global-address-book
/CN=entryABC
So is it possible to somehow automatically reference the global address book under the user's private address book?

You would probably be best off to arrange your DIT Structure to be more like:
ou=private,ou=Addressbooks...
ou=public,ou=Addressbooks...
You then could search using the the ou=addressbooks as the baseDN.
Or better, assign an Attribute boolean type private=TRUE to each entry.
So for all addressbooks,
(objectClass=Entry)
And for private
(&(objectClass=Entry)(private=TRUE))
And then finally, you may be able to use an ExtensibleMatch search filter to search both containers.
-jim

API convention for parent -> child element calls

We are trying to figure out if there is a generally accepted way of providing an API parent -> child resource. Say we have a Person entity and each Person has 0 or more addresses represented by the Address entity.
In terms of basic API we'd have:
POST: /api/v1/person
GET: /api/v1/person/{id}
PUT: /api/v1/person/{id}
DELETE: /api/v1/person/{id}
Then we have 2 ways to retrieve the addresses for a person:
/api/v1/person/{id}/addresses
/api/v1/addresses/{personId}
We feel it's more natural to pick the former option /person/{id}/addresses for GET but at the same time if we wanna retrieve an address by its id it should be /api/v1/address/{id}.
The question is, is there a convention in dealing with POST, PUT and DELETE calls? To me it makes sense that these should be called to the address service at /api/v1/address OR /api/v1/address/{id} but at the same time I can see why someone would POST to `/api/v1/person/{id}/address' instead of passing the person id in the request body.
So yeah, can you guys point us in the right direction here - is there a written or unwritten rule in API design when it comes to parent -> child relations?
Thanks in advance!

Can an address exist without a person? If the answer is yes, then an address should be a resources of its own.
/api/v1/addresses: the collection of all addresses
/api/v1/addresses/{addressId}: a single address
/api/v1/addresses?person={personId}: all addresses for a person
I'd not use /api/v1/addresses/{personId} because it is not immediately obvious that personId is the ID of a person, not of an addresse.
But at the same time, /api/v1/person/{id}/addresses should be available to navigate from a person to all his addresses.
If an address can not exist without a person, only use /api/v1/person/{id}/addresses.

Designing a rest url - filter with multiple params over entities (not last entity)

Let's say I have the following entities in my libraries app - Library Room, shelf, Book.
Where Room has N shelves, and shelves have N Books.
Now the following url brings me a list of books whose
library is 3, room no. is 5 and shelf no. is 43.
.../library/3/room/5/shelf/43/books
Assuming shelf 43 is unique per room only
(There is shelf 43 also in other rooms)
and Rooms are not unique (There's a few room no. 5 ) in the library.
Here is my questions:
I want to filter with more fields on the entities, here is what i want to do
(representation not in rest):
.../library/id=3&type=3/room/decade=21&topic=horror/shelf/location=east&/books
This is not rest.
How do I represent it in rest?
Notes:
I don't want to do this way
.../books&param1=X&param2=X&param3=X&param4=X
because not all params are related to books.

Couple of things that you need to look into while designing your apis.
1) are type, decade, topic etc required fields? if so, I will probably make them a part of the path itself, such as:
../libraries/{libraryId}/type/{typeId}/rooms/{roomId}/decades/{decadeId}/topics/{topicName}/shelves/{shelfId}/locations/{shelfLocation}/books
Here I am assuming that each library can have rooms which have unique room ids per library, each room can have shelves which has unique ids/locations per room (and so on and so forth). Yes, the url is pretty long, but that's kind of expected
2) if these fields are not required, you could use a different approach which is a bit less verbose but a bit more confusing for client developers who have never used such approach here. Here's a straight up example Restful Java with JAX-RS by Bill Burke
#Path("{first}-{last}")
#GET
#Produces("application/xml")
public StreamingOutput getCustomer(#PathParam("first") String firstName,
#PathParam("last") String lastName) {
...
}
Here, we have the URI path parameters {first} and {last}. If our HTTP request is
GET /customers/bill-burke, bill will be injected into the firstName parameter and
burke will be injected into the lastName parameter.
If we follow this somewhat academic approach (I have not seen this implemented on many platforms. Most platforms normally go with approach # 1, a more verbose but clear approach), your URL would look somewhat like this:
../libraries/{libraryId}-{typeId}/rooms/{roomId}-{decadeId}-{topicName}/shelves/{shelfId}-{shelfLocation}/books
This way, if the client developer doesn't pass in the non-required fields, you can handle it at the business logic level and assign these variables a default value, for example:
../libraries/3-/rooms/2-1-horror/shelves/1-/books
With this url, libraryId = 3, typeId = null (thus can be defaulted to it's default value) and so on and so forth. Remember that if libraryId is required field, then you might want to actually make it a part of the pathparam itself
Hope this helps!

How do ldap search for email address in contacts' 2nd/3rd alternate email addresses?

I have an LDAP server with my email contacts so that I can lookup contacts by name/email, etc. However, it only seems to search and find the first email address for any contact.
For example, if I have a person:
LastName: Doe
FirstName: John
Email: jdoe#work.com
Email2: johndoe#home.com
Email3: johndoe#fun.com
It only searches through or returns the first email. For example, if I search for "John", it will return only the "jdoe#work.com" even though the other two email addresses have "john" in them. The search filters I've tried are:
//This one will both look through and match the first email but ignores the 2nd/3rd
(|(displayName=*%v*)(mail=*%v*)(uid=*%v*)(givenname=*%v*)(sn=*%v*)(cn=*%v*))
//This one throws an error saying "mail2" and "mail3" are invalid filters.
(|(displayName=*%v*)(mail=*%v*)(mail2=*%v*)(mail3=*%v*)(uid=*%v*)(givenname=*%v*)(sn=*%v*)(cn=*%v*))
What should I be using?
Also, does anyone have a link to some page that lists all the possible filters I can put in an ldap person search?

Exchange does not store additional mailaddresses in fields like mail2 or mail3. All addresses are stored in the multi-valued field "proxyAddresses". This field contains one line for each address in the form of
address-type:address
Example:
smtp:test#contoso.local
SMTP:user#contoso.local
The second entry in the example would be main address for that account, because the SMTP prefix is all uppercase.
So you would search for (proxyAddress=%v) or something like that. I don't know the LDAP search syntax out of my head.
Edit: Another option is to use the ResolveNames operation of the EWS webservices (see http://www.infinitec.de/post/2009/04/13/Resolving-the-primary-email-address-with-Exchange-WebServices-ResolveNames-operation.aspx and http://msdn.microsoft.com/en-us/library/aa563518(v=exchg.140).aspx).

The filter:
(|(displayName=*%v*)(mail=*%v*)(uid=*%v*)(givenname=*%v*)(sn=*%v*)(cn=*%v*))
will not match the entry:
LastName: Doe
FirstName: John
Email: jdoe#work.com
Email2: johndoe#home.com
Email3: johndoe#fun.com
because none of the filter assertions match any of the attribute names in the given entry.
(|(Email=jd*)(Email2=john*)(Email3=john*)(lastName=Do*))
would match. Have you considered using the standard names for the example entry you give?

Active Directory was released with some schema choices that are questionable. Now it is hard to fix them.
One of those is that mail, was flagged as single valued. This should have been a multivalued attribute. Thus the use of proxyAddresses, where it tries to overload a string syntax attribute with more information by using smtp: or x500: or SIP: to indicate a protocol for the address. Then upper case (SMTP) means primary and lower case (smtp) means secondary.
This also occured for telephoneNumber being single valued, and extra values now overflow into the attribute otherPhone.
Same for:
facsimileTelephoneNumber and otherFacsimileTelephoneNumber
labelledUri and url
homePhone and otherHomePhone
pager and otherPager
mobile and otherMobile

Tricky class design issue

I'm working on implementing a class for managing user permissions on my website.
For example: employees can view customer records but nothing else, employers can view customers as well as manage employees, and admins can do both those things as well as manage employers.
So far, what I've got is this:
I've stored a list of permissions, e.g addCustomer, delCustomer, etc. Each permission is linked to a list of the user roles which are allowed to do that action.
I've got a simple permissions class built. I'm using it something like this:
if ($permissions->can('addCustomer'))
echo " Add Customer ";
else
echo 'Not allowed to add customers';
However the tricky part is that in some places, I need to be more specific. For example: a customer has got the permission: readMsgs which allows him to read the messages between himself and an employee. However, if he has that permission, then he can simply change the url from:
site.com/messages/read/100
to
site.com/messages/read/101
And read message # 101 as well, which might be between another customer and employee. A customer shouldn't be able to read anyone's messages except himself.
Similarly, a customer has got the editCustomer permission, which allows him to edit his own profile by going to:
site.com/customers/99
(where 99 is his customer id)
But if he goes to
site.com/customers/100
He should not be allowed to access that page.
How can I solve this problem? Ideally I'd like to be able to pass on an id to the permissions class. E.g:
if (! $permissions->can('readMsg', $msgId))
echo 'not allowed';
if (! $permissions->can('editCustomer', $requestedCustomerId))
echo 'not allowed';
Any ideas how I'd have to restructure my class structure to allow the above kind of thing?

I would be more granular in my taxonomy of permissions (e.g., "readOwnMsgs" vs. "readAnyMsg"). This would elaborate your permission-checking code (e.g., site.com/messages/read/### goes something along the lines of "proceed if canReadAnyMsg or if canReadOwnMsg and message author is current user"), suggesting that this logic should be encapsulated in separate classes broken down by resource type or whatever other circumstances might have an effect on contextual information required to make such decisions.

I would have a message class with a canRead(User) function. This would check the user's permissions and say "Oh, I'm a message from a manager to an employee. Unless the user is the reciepient of the message, they can't read it." or just as easily "I'm a message from a manager to an employee. The user is a manager, so he can read it."
I'm typing it out in English because I suck a php (which appears to be the language of choice.)