[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy



Christian Kratzer writes:
>On Wed, 25 Dec 2013, Howard Chu wrote:
>> Was going to reply but Michael beat me to it. Reiterating all the points 
>> Michael made. There is no good reason to use memberUid or uniqueMember in 
>> LDAP, both of these schema elements are deeply flawed.
> 
> thanks to both of you of bringing this up once more.
> 
> I was always intending to ask what the original use case for groupOfUniqueNames
> actually was as I totally fail to see the point in the uniqueMember attributes.

I don't see a rationale in X.520, but RFCs 4517 and 4519 say the
bitstring can be used to differentiate objects with identical or
reused DNs.  Different versions of someone's certificate, maybe?

Except that doesn't work for uniqueMember in X.500: If you search for
(DN, bitstring), it matches an object with the DN and no bitstring - but
not vice versa.  Nobody in the X.500 community remembered why when we
asked, so in the LDAP standard we made the matching rule commutative.

Thus LDAP's uniqueMember probably doesn't even work right for its
original purpose, which nobody quite remembers anyway, but at least
it's no longer an implemnetation headache in the server.

-- 
Hallvard