[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: requirements for accessing schema in DIT

Kurt D. Zeilenga wrote:
At 03:31 PM 2/6/2006, Howard Chu wrote:
Brandon McCombs wrote:
What is required to get openldap to allow the schema to be viewed as part of the DIT?
Viewing the schema has been supported since OpenLDAP 2.0. Just look for the subschemasubentry in the rootDSE, same as for any LDAPv3 compliant server.

s/rootDSE/target entry/

The subschemaSubentry of an entry (including the root DSE) provides
the name of subschema subentry controlling that entry.  Though
only a single subschema is allowed in slapd(8), this is a current
slapd(8) specific limitation.  In the X.500/LDAP model, different
entries (even within a naming context) can be controlled by different
subschemas and hence have different subschemaSubentry values.
That is, a client should not rely on values of subschemaSubentry
being the same for all entries (including the root DSE) held by
a server.

This is discussed in Section 4 of draft-ietf-ldapbis-models-xx.txt,
a copy of which is provided in doc/drafts. (Note that this
document has been approved for publication as a Standards Track
RFC.)

Yes.... In practice having multiple distinct schema within a directory is pretty unmanageable. E.g., using different schema in different subtrees means that input validation must be deferred until the last possible moment (after DN navigation/resolution is completed), and that moving valid entries around the tree (via ModDN) may cause unexpected schema violations.

Of course, when a particular DIT is actually distributed across multiple servers, it's not uncommon to encounter schema differences. But from a usability standpoint it's better to have a uniform schema across the entire DIT and I think most sites are better off treating the entire DIT as such.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/