[Fedora-directory-users] Wishlist

Rich Megginson rmeggins at redhat.com
Fri Aug 26 14:15:50 UTC 2005 

Are the X.5xx documents available on-line?

Steven Bonneville wrote:

>Jeff Clowser wrote:
>
>  
>
>>Basically, part of the thread devolved to the idea of creating a single
>>user entry that has objectclasses:  inetorgperson, account,
>>posixaccount, shadowaccount, etc.  If I understand the response (see
>>below), this violates ldap standards because you are mixing in
>>structural objectclasses and that is not allowed(?)
>>
>>This is all I could find that came close - rfc2251 seems to say servers
>>may disallow changing structural objectclasses on an entry (to prevent
>>changing a user to a country, for example).  RFC 2252 actually seems to
>>specifically say you _can_ mix structural objectclasses in one entry.
>>    
>>
>
>Well, sort of.  What X.501 says and the LDAP RFCs follow is that an entry
>is characterized by exactly one *chain* of structural object classes that 
>has exactly one structural object class as the most subordinate object 
>class in the chain.  You then can add zero or more auxiliary object 
>classes to add more attributes.  So an entry structured as
>
>  objectclass: top
>  objectclass: person
>  objectclass: organizationalPerson
>  objectclass: inetOrgPerson
>  objectclass: posixAccount
>  objectclass: shadowAccount
>
>is legal.  The most subordinate structural object class is inetOrgPerson,
>which the schema says is a subclass of organizationalPerson, which is a
>subclass of person, which is a subclass of top.  The posixAccount and
>shadowAccount object classes are auxiliary, so no problem including those.
>Now, we can't add account as an object class of this entry, because it is
>a structural object class that is not part of the structural object class
>chain connecting inetOrgPerson to top, so we'd end up with two structural
>object class chains -- that's illegal.
>
>By using inetOrgPerson, you also have to include all of its superclasses.
>So you can't have inetOrgPerson without organizationalPerson, for example.
>
>If you can extend the schema, you can always derive a new structural 
>class from an existing one.  The parent structural class still appears 
>as an objectclass attribute of an entry since it is part of the superclass 
>chain of the structural object class of the entry.  Look at evolutionPerson 
>(in /usr/share/evolution-data-server-1.0/evolutionperson.schema on RHEL4)
>for an example.  It's derived from inetOrgPerson and therefore gets all its 
>attributes and the attributes of inetOrgPerson's superclasses.
>
>  -- Steve Bonneville
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050826/e8db419d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050826/e8db419d/attachment.bin>

More information about the Fedora-directory-users mailing list