[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap newbie



>>IMHO, all schemas should base themselves on the standard schemas,
>>wherever possible.  One of the points of LDAP is interoperability.  The
>>core schema are actually quite complete.
>I'm not sure what you mean by interoperability... I am hoping to
>complete this directory and then point a tacacs+ server at it to handle
>a lot of authentication... Most likely nothing except for the tacacs
>server and the net admins will ever access the directory directly.
> If you are telling me that tacacs won't be able to understand my

It depends upon the specific TACAS server.

>"home-brewed" schema, then please tell me b/c I will go back and rework
>the directory... on the other hand, If you mean that outlook clients
>won't be able to use it as an addressbook, I'm not so worried.

Ok.  I always assume that tomorrow the system will want to do something
I didn't for see today.  The power of LDAP really is to place all the
"crap": users, groups, mail routing, access control, contacts,
preferences in one spot.

>I took this syntax from the open ldap documentation:
>http://www.openldap.org/doc/admin20/schema.html#Extending%20Schema
>QUOTE:===============================================
>attributeType ( 2.5.4.3 NAME
>                ( 'cn' $ 'commonName' ) SUP name )
>=====================================================
>If you are correct, it is just another example of the poor documentation
>IMHO

The schema files I'm looking at on my live LDAP server have no "$". 
Could be something has changed.  But poor documentation!  Never.... :)

>>>> attributetype ( jctAttrib:1 NAME ( 'jctMisparZehut' $ 'jctTZ' )
>>>>         DESC 'Identification Number associated with a person'
>>>>         EQUALITY numericStringMatch
>>>>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{32768}
>>>>         SINGLE-VALUE
>>>>)
>maybe those would work but the meaning here is a government provided id
>number (like a social security number in the USA) once again- the text
>name I used is much more user friendly
>>Why no uidNumber, or x500UniqueIdentifier, or uniqueIdentifier;
>>whichever is most appropriate.

I disagree on this one.  uidNumber is for posixAccount,  which are
always local.  And uniqueIdentifier is -

"The domain within which the identifier is unique, and the exact
semantics of the identifier, are for local definition.  For a person,
this might be an institution-wide payroll number.  For an organisational
unit, it might be a department code."