[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subschema clarifications (Was: I-D ACTION:draft-ietf-ldapbis-models-01.txt)





Timothy Hahn wrote:

Kurt,

I agree with you.

I was thinking of things like "pwdPolicy" in
draft-behera-ldap-password-policy-05.txt where the schema for that object
class is all userApplication, but the implication is that the server is
going to do something with the information.


One can consider the pwdPolicy objectclass as a Configuration entry that the server is using for himself. I don't think that all configuration entries of a directory server should only contain operational attributes because the server is using them. Operational attributes are more attributes that the server is maintaining itself, ie a user does not control the values.


Typically, all attributes used to control and enforce the password policy in the draft-behera-ldap-password-policy-05.txt are defined as operational attributes.

Regards,

Ludovic.



I would like to see the general guidelines you noted below (not allowing
non-userApplication attribute types to be added, only syntaxes/matching
rules that are supported, and don't publish operational attributes that
aren't supported) be further detailed and published.  Perhaps as a best
practice?

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388     tie-line: 8/852.6388
fax: 607.752.3681



"Kurt D. Zeilenga" To: Timothy Hahn/Endicott/IBM@IBMUS <Kurt@OpenLDAP.or cc: ietf-ldapbis@OpenLDAP.org g> Subject: Re: subschema clarifications (Was: I-D ACTION:draft-ietf-ldapbis-models-01.txt) 05/31/2002 11:39 AM



At 06:43 AM 2002-05-31, Timothy Hahn wrote:

I think that this issue of "server capabilities" is becoming more and more
important.  I also think it extends beyond what schema elements are or
aren't supported by the server.


There certainly are server capabilities not directly associated with schema elements which the client might desire to discover support for (without resorting to trail and error).

I agree (in principle) with the notion that a server should not
include/advertise schema elements that it does not support all the
"semantics" of ... but this can get "dicey" in practice with deployments
adding schema elements (a server can't know what new schema elements MIGHT
be defined in the future that bring along other "semantic" requirements

...

thus a server would hard-pressed to disallow the schema elements from

being

added into the server's "advertised" schema.)


I think its fairly straight forward for a server to determine if there is an element specific semantic to be implemented and to disallow such from being added if it doesn't implement that semantic. For example, any non-userApplication attribute type has, by definition, a semantic to be implemented. And, of course, any ldapSyntax or matchingRule has a semantic to be implemented.

In the latest version of OpenLDAP, we allow administrators to
only add (using a non-LDAP mechanism) userApplication attributes
and object class composed only of userApplication attributes.
This keeps administrators from doing stupid things, like adding
some not implemented operational attribute to the subschema (and
then to entries).

We also don't publish operational attribute types definitions
we know of unless we support that operational attribute type.
For example, our server knows the definition for ditContentRule,
but we don't publish it because we don't implement it.

I would like to see some "standard" way for servers to identify the set of
features/functions that they support - e.g.: acl model, replication model,
password policy, alias support, etc.  Some of these imply server-based
processing that is "over and above" just allowing the associated schema
elements to be stored/retrieved to/from the server.

More and more reasons for looking hard at some "admin model" so that these
features can be constrained to "areas of the namespace" rather than
focussed on server instances.

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388     tie-line: 8/852.6388
fax: 607.752.3681





                    "Kurt D. Zeilenga"


                    <Kurt@OpenLDAP.org>         To:

ietf-ldapbis@OpenLDAP.org

                    Sent by:                    cc:


                    owner-ietf-ldapbis@O        Subject:  subschema

clarifications (Was: I-D  ACTION:draft-ietf-ldapbis-models-01.txt)

                    penLDAP.org




                    05/31/2002 01:36 AM





At 07:47 AM 2002-05-30, Kurt D. Zeilenga wrote:

Summary of technical changes made:
- clarified schema publishing / discovery;

A little elaboration...

This revision includes clarifications aimed at resolving a
couple of subschema discovery issues.

Over the years, a number of questions have been raised
regarding how clients determine that a server supports
capabilities associated with elements of schema, in
particular, operational attributes.  For example, how
does a client determine whether a server supports
DIT Content Rules.

I've taken statements in Section 4.1.4 of RFC 2251 that
the attributeTypes attribute is used to indicate "support"
for an attribute type.  In -00 revision of the I-D, a
server indicated support for a number of capabilities
(such as DIT Content Rules) by publishing the definition(s)
of attribute type(s) associated with the capability.

But for this to be a clear indication of support, it is
necessary to disallow servers which don't support the feature

from publishing the defintions associated with that feature.

Hence, the -01 revision includes the statement:

 A server SHALL only publish schema definitions for
 elements it supports.

Without this, the discovery mechanism would be fundamentally
broken.

However, the added statement can be viewed as inconsistent
with other statements made in existing "core" technical
specification.  So, it might be appropriate to clarify
that the subschema mechanism is not capability discovery
mechanism.  If so, do we need one or can we live with
trial and error discovery mechanism?  (Personally, I can
live with trail and error, that's what most clients will
do anyways.)








-- Ludovic Poitou Sun Microsystems Inc. Sun ONE products - Directory Server Group - Grenoble - France