This chapter provides examples of how to add, search for, and modify alias entries, and it includes a list of messages. It contains these topics:
For information about attribute aliases, seeSection 21.1.5, "Understanding Attribute Aliases."
Entries sometimes have distinguished names that are long and cumbersome. Oracle Internet Directory makes it easier to administer long names by using alias objects. When someone looks up—that is, references—an object by using an alias, the alias is dereferenced, and what is returned is the object to which the alias points. For example, the alias, Server1, can be dereferenced so that it points to the fully qualified DN—namely, dc=server1,dc=us,dc=myCompany,dc=com. This feature also enables you to devise structures that are not strictly hierarchical.
An alias entry uses the object class alias to distinguish it from object entries in a directory. The definition of that object class is as follows:
(2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName)
An alias entry also contains the aliasedObjectName attribute that, in turn, contains the DN of the object to which it is pointing. The definition of that attribute is as follows:
(2.4.5.1 NAME 'aliasedObjectName" EQUALITY distinguishedNmameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
Figure 18-1 and the accompanying text provides an example of alias entry dereferencing.
In Figure 18-1, ou=uk sales,ou=global sales,o=myCompany,c=us is an alias entry pointing to the ou=sales,o=myCompany,c=uk entry.
When anyone references ou=uk sales,ou=global sales,o=oracle,c=us, the directory server automatically reroutes them to the real entry, ou=sales,o=oracle,c=uk.
To add an alias entry, you create a normal entry in LDIF and an alias entry pointing to the real entry. Following the steps in this example produces the tree in Figure 18-2.
Create a sample LDIF file, My_file.ldif, with the following entries:
dn: c=us c: us objectclass: country dn: o=MyCompany, c=us o: MyCompany objectclass:organization dn: ou=Area1, c=us objectclass: alias objectclass: extensibleobject ou: Area1 aliasedObjectName: o=MyCompany, c=us dn: cn=John Doe, o=MyCompany, c=us cn: John Doe sn: Doe objectclass: person dn: cn=President, o=MyCompany, c=us objectclass: alias objectclass: extensibleobject cn: President aliasedobjectname: cn=John Doe, o=MyCompany, c=us
Add these entries to the directory by using the following command:
ldapadd -p port -h host -D cn=orcladmin -q -f My_file.ldif
Note:
If you attempt to add an alias entry whose parent is an alias entry, the directory server returns an error.
See Also:
Section 18.5, "Entry Alias Dereferencing Messages" for error messages.
Figure 18-2 Resulting Tree when Creating the My_file.ldif

In Figure 18-2, the letter A represents an alias entry, where:
ou=Area1 is an alias pointing to o=MyCompany
cn=President is an alias pointing to cn=John Doe
In each search you specify, there are flags you can set. The search is performed based on the flag you specify, as shown in Table 18-1.
Table 18-1 Flags for Searching the Directory with Alias Entries
| Flag | Search Behavior of LDAP Server | 
|---|---|
| 
 | Never dereferences aliases. | 
| 
 | Dereferences the base object in a search, but does not dereference alias entries that are under the base. | 
| 
 | Dereferences aliases in subordinates of the base object in search but not in locating the base object of the search. | 
| 
 | Dereferences aliases both in searching and in locating the base object of the search. | 
By default, the dereference flag in ldapsearch is -a never and thus the directory server does not perform any dereferencing for alias entries.
A base search finds the top level of the alias entry you specify.
Base Search with the Dereferencing Flag -a find
This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a find.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s base "objectclass=*"
The directory server, during the base search, looks up the base specified in the search request and returns it to the user. However, if the base is an alias entry and, as in the example, -a find is specified in the search request, then the directory server automatically dereferences the alias entry and returns the entry it points to. In this example, the search dereferences ou=Area1,c=us, which is an alias entry, and returns o=MyCompany,c=us.
Base Search with the Dereferencing Flag -a search
This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a search.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a search -s base "objectclass=*"
The directory server, during the base search, looks up the base specified in the search request and returns it to the user without dereferencing it. It returns ou=Area1,c=us.
Base Search with the Dereferencing Flag -a always
This example shows a base search of ou=Area1,c=us with a filter of "objectclass=*" with the dereferencing flag set to -a always.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a always -s base "objectclass=*"
The directory server, during the base search, looks up the base specified in the search request. If it is an alias entry, the directory server automatically dereferences the alias entry and returns the entry it points to. In this example, the search dereferences ou=Area1,c=us, which is an alias entry, and returns o=MyCompany,c=us.
A one-level search finds only the children of the base level you specify.
One-Level Search with the Dereferencing Flag -a find
This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a find.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s one "objectclass=*"
The directory server returns one-level entries under the base that match the filter criteria. In the example, -a find is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), but does not dereference alias entries that are one level under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up one-level entries under o=MyCompany,c=us. One of the one-level entries is cn=President,o=MyCompany,c=us that is not dereferenced and is returned as is.
Thus, the search returns cn=President,o=MyCompany,c=us and cn=John Doe,o=MyCompany,c=us.
One-Level Search with the Dereferencing Flag -a search
This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a search.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a search -s one "objectclass=*"
The directory server searches for the base that is specified in the search request. If the base entry is an alias entry, it returns nothing. (Alias entries cannot have children.) Otherwise, it returns the base entry's immediate children after dereferencing them. In this example, the base entry is "ou=Area1,c=us", which is an alias entry, so the search returns nothing
One-Level Search with the Dereferencing Flag -a always
This example shows a one-level search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a always.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a always -s one "objectclass=*"
In the example, -a always is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), then dereference alias entries that are one level under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up one-level entries under o=MyCompany,c=us. One of the one-level entries is cn=President,o=MyCompany,c=us. That is dereferenced and is returned as cn=John Doe,o=MyCompany,c=us. The other one-level entry is cn=John Doe,o=MyCompany,c=us, which has already been returned.
Thus, the search returns cn=John Doe,o=MyCompany,c=us.
A subtree search finds the base, children, and grand children.
Subtree Search with the Dereferencing Flag -a find
This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a find.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a find -s sub "objectclass=*"
The directory server returns all entries under the base that match the filter criteria. In the example, -a find is specified in the search request, and thus the directory server automatically dereferences while looking up the base (the first step), but does not dereference alias entries that are under the base. Therefore, the search dereferences ou=Area1,c=us, which is an alias entry, and then looks up entries under o=MyCompany,c=us. One of the entries is cn=President,o=MyCompany,c=us that is not dereferenced and is returned as is.
Thus, the search returns:
o=MyCompany,c=us
cn=John doe,o=MyCompany,c=us
cn=President,o=MyCompany,c=us
Subtree Search with the Dereferencing Flag -a search
This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a search.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a search -s sub "objectclass=*"
The directory searches for the base that is specified in the search request.If the base is an alias entry, then it returns the base entry without dereferencing it. (Alias entries cannot have children.) Otherwise it returns all entries under the base. If any alias entries are found, it dereferences them and returns all entries under them as well.
In this example, the base entry is an alias entry, ou=Area1,c=us, so the directory returns ou=Area1,c=us.
Subtree Search with the Dereferencing Flag -a always
This example shows a subtree search of "ou=Area1,c=us" with a filter of "objectclass=*" with the dereferencing flag set to -a always.
ldapsearch -p port -h host -b "ou=Area1,c=us" -a always -s sub "objectclass=*"
The directory server dereferences the base entry and returns it. It also returns all entries under the dereferenced base. If any alias entries are found, it dereferences them and returns all entries under them as well.
In this example, the base entry is ou=Area1,c=us, which is dereferenced to o=MyCompany,c=us, which is returned. There are two entries under o=MyCompany,c=us. One is cn=President,o=MyCompany,c=us, which is returned and also dereferenced to cn=John Doe,o=MyCompany,c=us, which is returned. The other entry under o=MyCompany,c=us, which has already been returned. So the result is o=MyCompany,c=us and cn=John Doe,o=MyCompany,c=us.
This example shows how to modify alias entries. It creates a sample LDIF file,
My_file.ldif with following entries:
dn: cn=President, o=MyCompany, c=us changetype : modify replace: aliasedobjectname aliasedobjectname: cn=XYZ, o=MyCompany, c=us
Modify the alias entry using the following command:
ldapmodify -D "cn=orcladmin" -q -p port -h host -f My_file.ldif
Table 18-2 lists the messages related to alias entry dereferencing and the corresponding meaning for each message.
Table 18-2 Entry Alias Dereferencing Messages
| Message | Meaning | 
|---|---|
| Alias Problem | Either of the following have occurred: 
 | 
| Alias Dereferencing Problem | The user cannot dereference an alias because of access control issues. | 
| No Such Object | The server cannot find the base DN specified in the search request. | 
| Invalid DN Syntax | When adding or modifying an alias entry, if the value specified for  | 
| Success | The client operation successfully completes. When the dereferenced target does exist but does not match the filter specified in the search request, the server returns a success message with no matched entry. | 
| Insufficient Access Rights | The user does not have access to the dereferenced entry. |