Develop Reference

protege reflexive property usage

In protege a reflexive property is assigned to all individuals relgardless of domain and range and the class to which individuals belongs.
so what is the use of this restriction?
P.S: lets say there is three individuals:
NamedIndividual( :John )
NamedIndividual( :alex )
NamedIndividual( :BMW )
and an object proeprty:
ObjectProperty( :hasFriend )
ReflexiveObjectProperty(:hasFriend)
running pellet deduce that :
BMW hasFriend BMW
This inference is conceptually meaningless

Papers like The even more irresistible SROIQ and Foundations of Description Logics point out that reflexive and irreflexive properties are closely related to the exists r.Self concept. I.e. Narcissist can be defined as Narcissist \sqsubseteq loves.Self.
The SROIQ paper actually mentions that the main use cases for reflexive and irreflexive properties are limited and only make sense when used along with cardinality restrictions. I.e. if you define PopularPerson as someone with at least 2 friends, and hasFriend is reflexive, then by asserting an individual has 1 known friend will result in that individual being classified as a PopularPerson because the individual is already assumed to be its own friend.
Interestingly, the paper also mentions that reflexive(r) is equivalent to adding the GCI top \sqsubseteq exists r.Self to the TBox. Personally for me this is more intuitive and provides the control I think you seem to want to achieve. In particular this allows you to replace \top with whatever class of your choice. A similar equivalent exists for irreflexive properties.

Import attribute/object definitions to Active Directory (AD LDS)

Currently I'm using OpenDS and have to migrate to Active Directory (AD LDS).
I have a few custom attributes/objects that are defined in .ldif files in the OpenDS/config/schema directory like this:
attributeTypes: ( 1.3.6.1.4.1.99.1
NAME 'myNewAttribute'
DESC 'some text'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
objectClasses: ( 1.3.6.1.4.1.99.2
NAME 'myNewClass'
SUP top STRUCTURAL
MUST ( person $ myNewAttribute )
MAY someOtherAttribute
)
Unfortunately ldifde does not understand this format, so I used ADSI Edit to import my definitions manually one by one (cumbersome!) - but encountered some problems:
It seems AD supports only a handful of different SYNTAX definitions, like 2.5.5.12. How can I map something like 1.3.6.1.4.1.1466.115.121.1.15 to AD?
oMSyntax: Seems to be AD specific and not known to the rest of the LDAP world. oMSyntax in combination with attributeSyntax seems to define the data type in the AD world.
things like EQUALITY seem to be missing completely in AD! How to deal with this?
Question: Is there a tool to convert an LDIF file with attribute/object definitions to a format that is understood by MS / AD / ldifde?
Or a more general question: What is the best practice to migrate attribute/object definitions from OpenDS, OpenLDAP, etc. to the Microsoft world?

Welcome to the Diretories compatibility world. First of all the following syntax :
attributeTypes: ( 1.3.6.1.4.1.99.1
NAME 'myNewAttribute'
DESC 'some text'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
is not an LDIF syntax. it's a syntax used in Netscape like Directories to specify the Schema (OpenLDAP, Ex Sun directory service etc.). As far as you want to introduce new attributes and classes in Active Directory, you can do it using one of these 3 ways :
Manualy using the common ADSIEDIT.MSC (I never do it like that) :
Manualy using the specific Active Directory Scema Editor MMC (Microsoft Management Console)
This is the way I use in the development phase.
MMC.EXE -> File -> Open Component -> Active Directory Schema
If you are using an old server this MMC is only available recording an Active X component :
Regsvr32 c:\windows\system32\schmmgmt.msc
This way is much easier, it's the way I use on a development VM to create my attributes, I Then export the LDIF description with LDIFDE.EXE tool in order to clean it (remove system attributes) and import it on the production servers.
Programaticaly using LDIF
Here is an example of the LDIF syntax of an attribute
dn: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
changetype: add
objectClass: top
objectClass: attributeSchema
cn: SlxChapitres
distinguishedName: CN=SlxChapitres,CN=Schema,CN=Configuration,DC=XXXX
instanceType: 4
attributeID: 1.3.6.1.4.1.10558.2.1.6
attributeSyntax: 2.5.5.4
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: SlxChapitres
oMSyntax: 20
lDAPDisplayName: SlxChapitres
name: SlxChapitres
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=XXXX
This code is LDIF, I can inject it using LDIDE.EXE program the DC=XXXX syntax allowing me to use the -c DNSrc DNTarget of the LDIFFDE.EXE program option to locate it to the right DN.
As far as the Syntax and the matching rules are concerned, In my opinion Active-Directory is not so standard. Microsoft use a kind of combination between these to concepts to give one thing they call Syntax. Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify 2 pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Mictosoft documention.

datomic attribute with a colon prefix

Have 2 queries about datomic attributes.
1. If I know the attribute name (String), how do I check if the attribute is already defined or not in the schema?
2. Based on my experimenting with datomic, I see that datomic treats attributes with colon prefix and without colon prefix same. i.e if we create attributes named "foo" and ":foo", they are one and the same. Is this true? Is this a limitation?
I am using datomic with groovy.Below is the code used to create the attribute. Along with name, other params are input.
static def createAttribute(String name, String type, String description, Connection connection) {
List schema = [[
':db/id': Peer.tempid(':db.part/db'),
':db/ident' : name,
':db/valueType': type,
':db/cardinality': ':db.cardinality/one',
':db/doc': description,
':db.install/_attribute': ':db.part/db'
]]
connection.transact(schema).get()
And the query I use to verify attribute presence is
def attributeFor(String attributeName, Database db) {
db.entity(attributeName).get(':db.install/_attribute')
}
If I call "createAttribute" with "foo" as attribute name and "attributeFor" method ":foo" as attribute name, I get a result. i.e "foo" and ":foo" are treated same.
How can I create and query for attributes with name that contain a colon prefix?

Datomic attribute names are not Strings, they are edn keywords. The prefix colon is required (and always stored, regardless of whether you specify it in code.) The optionality of the colon when working from languages that do not support a name literal (e.g. Java or Groovy) is intended as a convenience.

How to filter null or empty attributes from an Active Directory Query

I am working with a customers Active Directory which has a lot of cruft in it. There are hundreds of Users with empty givenName and sn attributes. I would like to filter any records that have an empty sn or an empty givenName from my query results as those records cannot be processed by my application.
This works as per my requirements but I believe there must be a better way to do it:
(&(objectClass=User)(|(!(!(sn=*))))(!(!(givenName=*)))))
Is there a more clear and concise way to accomplish this with an ldap query?

sn and givenName have as their superior the name attribute, which is of DirectoryString syntax, that is, the syntax is 1.3.6.1.4.1.1466.115.121.1.15. Attributes which are of syntax DirectoryString are not allowed to be null, that is, a DirectoryString is required to have at least one character.
The filter sn=* is a present filter (not a substring or regular expression), meaning that the entry would be filtered out of the possible search results if the sn attribute is not present (if it is present, it must have at least one character). Same for givenName=*.
A simpler filter might be '(&)', where the search request contains the following in its list of attributes to be returned: #User, which will return all attributes in the User objectClass for each entry that matches the filter, then have the application extract the sn and givenName attributes from each entry that is returned. If the number of entries returned is large, use the Simple Paged Results Request Control to throttle the number of entries returned to a more manageable value.
Or ... it might be that Active Directory is not LDAP compliant and does not support the inetOrgPerson objectClass and syntaxes of attributes therein correctly and does allow empty or null attributes values for DirectoryString attributes, though I can't imagine Microsoft would deliver a product that is not LDAP compliant.
see also
LDAP Programming Practices
RFC 4519

(!(!(givenName=*))) = (!givenName=*)
https://technet.microsoft.com/en-us/library/ee198810.aspx

In OWL, is it possible to query a class that does not have a property?

In OWL, is it possible to query a class that does not have a property?
Suppose I have an object property R and I want to retrieve all classes that do not have the property R. Also, suppose that I have already closed all classes with closures.
I was trying this:
suppose the propety in question is hasProperty, my query was this
hasProperty only Nothing
But it doesn't work

What do you mean by "class that does not have a property"?
Semantically, a class is a set of individuals and a property is a set of pairs of individuals. Given these two sets, what do you mean by "class has / has not a property"?
Regarding your example query
hasProperty only Nothing
lets rewrite it a bit so that we can think about it in natural language. This gives better intuition about the meaning of this query.
First lets rename hasProperty to follows (or whatever English verb), then we have:
follows only Nothing
This is semantically equivalent to
follows only (not Thing)
which is semantically equivalent to
not (follows some Thing)
Now we have gotten rid of the only which is a confusing part of OWL and is better avoided. So now we can verbalize the query in English as:
those who do not follow anything
or
who does not follow anything?
or more formally
which individuals of the ontology are known
not to have a follow relationship to any other individual
E.g. if your ontology states that
John does not follow Mary.
John does not follow himself.
Every individual in the ontology is either John or is Mary.
then John will be the answer to the above query.
You can also get a named class as the query answer if the asked restriction holds for a (named) group of individuals. In any case, the following must hold: if you asserted that the answer (or a member of it) does have a follow-relation to some individual then it would render the ontology inconsistent.

OWL does not have any means for querying the data. SPARQL is used for that. So the SPARQL query to find all class definitions that do not have the property :R would be:
SELECT ?cls
WHERE {
?cls a owl:Class .
FILTER NOT EXISTS {?cls :R ?o}
}