[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subschema clarifications (Was: I-D ACTION:draft-ietf-ldapbis-models-01.txt)



We would also have to state that an operational attribute cannot be
added to the MUST or MAY list of any objectclass when it is known that
the attribute has semantic meanings when paired with certain object
classes (i.e. ref and referral).

Jim

>>> "Timothy Hahn" <hahnt@us.ibm.com> 05/31/02 01:23PM >>>

Kurt,

I agree with you.

I was thinking of things like "pwdPolicy" in
draft-behera-ldap-password-policy-05.txt where the schema for that
object
class is all userApplication, but the implication is that the server
is
going to do something with the information.

I would like to see the general guidelines you noted below (not
allowing
non-userApplication attribute types to be added, only
syntaxes/matching
rules that are supported, and don't publish operational attributes
that
aren't supported) be further detailed and published.  Perhaps as a
best
practice?

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com 
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388     tie-line: 8/852.6388
fax: 607.752.3681



                                                                       
                                                               
                      "Kurt D.                                         
                                                               
                      Zeilenga"                To:       Timothy
Hahn/Endicott/IBM@IBMUS                                               
                      <Kurt@OpenLDAP.or        cc:      
ietf-ldapbis@OpenLDAP.org                                            
        
                      g>                       Subject:  Re: subschema
clarifications (Was: I-D                                        
                                               
ACTION:draft-ietf-ldapbis-models-01.txt)                                
              
                      05/31/2002 11:39                                 
                                                               
                      AM                                               
                                                               
                                                                       
                                                               
                                                                       
                                                               



At 06:43 AM 2002-05-31, Timothy Hahn wrote:
>I think that this issue of "server capabilities" is becoming more and
more
>important.  I also think it extends beyond what schema elements are
or
>aren't supported by the server.

There certainly are server capabilities not directly associated
with schema elements which the client might desire to discover
support for (without resorting to trail and error).

>I agree (in principle) with the notion that a server should not
>include/advertise schema elements that it does not support all the
>"semantics" of ... but this can get "dicey" in practice with
deployments
>adding schema elements (a server can't know what new schema elements
MIGHT
>be defined in the future that bring along other "semantic"
requirements
..
>thus a server would hard-pressed to disallow the schema elements from
being
>added into the server's "advertised" schema.)

I think its fairly straight forward for a server to determine
if there is an element specific semantic to be implemented and
to disallow such from being added if it doesn't implement that
semantic.  For example, any non-userApplication attribute type
has, by definition, a semantic to be implemented.  And, of course,
any ldapSyntax or matchingRule has a semantic to be implemented.

In the latest version of OpenLDAP, we allow administrators to
only add (using a non-LDAP mechanism) userApplication attributes
and object class composed only of userApplication attributes.
This keeps administrators from doing stupid things, like adding
some not implemented operational attribute to the subschema (and
then to entries).

We also don't publish operational attribute types definitions
we know of unless we support that operational attribute type.
For example, our server knows the definition for ditContentRule,
but we don't publish it because we don't implement it.

>I would like to see some "standard" way for servers to identify the
set of
>features/functions that they support - e.g.: acl model, replication
model,
>password policy, alias support, etc.  Some of these imply
server-based
>processing that is "over and above" just allowing the associated
schema
>elements to be stored/retrieved to/from the server.
>
>More and more reasons for looking hard at some "admin model" so that
these
>features can be constrained to "areas of the namespace" rather than
>focussed on server instances.
>
>Regards,
>Tim Hahn
>
>Internet: hahnt@us.ibm.com 
>Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
>phone: 607.752.6388     tie-line: 8/852.6388
>fax: 607.752.3681
>
>
>
>

>                      "Kurt D. Zeilenga"

>                      <Kurt@OpenLDAP.org>         To:
ietf-ldapbis@OpenLDAP.org 

>                      Sent by:                    cc:

>                      owner-ietf-ldapbis@O        Subject:  subschema
clarifications (Was: I-D  ACTION:draft-ietf-ldapbis-models-01.txt)
>                      penLDAP.org

>

>

>                      05/31/2002 01:36 AM
>

>

>
>
>
>At 07:47 AM 2002-05-30, Kurt D. Zeilenga wrote:
>>Summary of technical changes made:
>>  - clarified schema publishing / discovery;
>
>A little elaboration...
>
>This revision includes clarifications aimed at resolving a
>couple of subschema discovery issues.
>
>Over the years, a number of questions have been raised
>regarding how clients determine that a server supports
>capabilities associated with elements of schema, in
>particular, operational attributes.  For example, how
>does a client determine whether a server supports
>DIT Content Rules.
>
>I've taken statements in Section 4.1.4 of RFC 2251 that
>the attributeTypes attribute is used to indicate "support"
>for an attribute type.  In -00 revision of the I-D, a
>server indicated support for a number of capabilities
>(such as DIT Content Rules) by publishing the definition(s)
>of attribute type(s) associated with the capability.
>
>But for this to be a clear indication of support, it is
>necessary to disallow servers which don't support the feature
>from publishing the defintions associated with that feature.
>Hence, the -01 revision includes the statement:
>
>   A server SHALL only publish schema definitions for
>   elements it supports.
>
>Without this, the discovery mechanism would be fundamentally
>broken.
>
>However, the added statement can be viewed as inconsistent
>with other statements made in existing "core" technical
>specification.  So, it might be appropriate to clarify
>that the subschema mechanism is not capability discovery
>mechanism.  If so, do we need one or can we live with
>trial and error discovery mechanism?  (Personally, I can
>live with trail and error, that's what most clients will
>do anyways.)