So to follow your example, the filter would be
"(objectclass=strongAuthenticationUser)". And only those DNs that are of
that OC would be returned.
Food for thought.
Bob Joslin
Hewlett-Packard Company.
> -----Original Message-----
> From: Bruce Greenblatt [mailto:bgreenblatt@directory-applications.com]
> Sent: Tuesday, May 22, 2001 10:45 AM
> To: ietf-ldapext@netscape.com
> Subject: new control for filtering dn attribute values based upon their
> object class
>
>
> I've defined a new control which is the result of helping several
> customers
> with their ldap enabled applications. They often end up with
> entries that
> have attributes that have long lists of distinguished names as their
> values. Groups and mailing lists are object classes that unfortunately
> often end up this way. Independent of my views on whether it is a good
> idea to have a zillion values in a single attribute, customers' DITs have
> them, and they are reluctant to change the DIT. There are many problems
> that result from this scenario. This draft defines a control that solves
> one of them. The problem in question arises when the dns in the
> attribute
> values refer to entries of several different object classes.
>
> http://search.ietf.org/internet-drafts/draft-greenblatt-dn-type-00.txt
>
> One good example of how this control would be used is for the
> retrieval of
> only those dn values which refer to an entry that has a certificate (i.e.
> has the strongAuthenticationUser object class). Additionally,
> this control
> also allows the client to request that the ldap server "tag" each
> returned
> dn attribute value with the object class(es) of the entry to which it
> refers. Comments welcome.
>
> Bruce
>
>
> ==============================================
> Bruce Greenblatt, Ph. D.
> Directory Tools and Application Services, Inc.
> http://www.directory-applications.com
>