[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: structural objectclass checking
- To: <openldap-technical@openldap.org>
- Subject: RE: structural objectclass checking
- From: <Markus.Storm@t-systems.com>
- Date: Thu, 9 Jan 2020 15:35:24 +0000
- Accept-language: de-DE, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t-systems.com; dmarc=pass action=none header.from=t-systems.com; dkim=pass header.d=t-systems.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eYEzuyH6I6MhnNc0KysIIhuOx0NOsM3mvIzy/Sx4BuE=; b=gwfGh72Q0gvh7OYWiFU1N9bLyq8QswkacDkF8NAg1B92Ga8NQo0IvQr3J3F+fIfGfjq4kjRvbGVJfxsKpkO1BiRqc9LgJ+EgzhZAYAbjKwnaP7h4FWaHYSsC5Egg5zOEvQpEyzYYXZ8lVs3X3cOG59nWEvG/OFOQf/8AYhVH6cHP1HuQw5QObadDqWAYhBuDy0u/KlAGoVlmUiz4aTk70EzB1w7Tik2RhlCeYhwyDBcZPsM+hUvcrKNvB9VcVVX7+IoK1Y9nXG64rHAYM/ayy2dDyFvlAs0d7/XvOZSOSXGNeUq3bSOpggHms37warh/6ZH/cbgM8XUFoJRTvcEsPA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K/qJ/hhBtOszmH184Oi3x5SOZTLkhlVsfg1ydYQHCAqYQl3CtWf3Z83nMwEoOWmXyO8vofgCf+gFeZy4ndfVZW39j2TiyCrhIfvne00uGA3hZkMQwnOYnzxnLkaHU90sqvNKNuMUIRU4Zn8amUxirCeHjYwY6NcEaUZa1q2D2ga1G5tTV31Sij77D7PYLdHsdHSsSCiAF0jU1mFHzPDlg4awIlGVY69wsx5EfWjh7c+RVehBmz6Jdahyvv/9Te2Zu+XWlRux2mRerAAU5z8mCg3QogwVDqDqT7Wy8NOU7Rmzs2GgZdVm8PLEFZbRhbaA337MX/NE5Pyg9L6qdfmsGQ==
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Markus.Storm@t-systems.com;
- Content-language: de-DE
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-systems.com; i=@t-systems.com; q=dns/txt; s=mail; t=1578583838; x=1610119838; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=eYEzuyH6I6MhnNc0KysIIhuOx0NOsM3mvIzy/Sx4BuE=; b=jQPmczT2B4/5eYgHEWIojfMaC5CilThhW0+BNWGwEoNGWlK7ZjMJh1Nv eeLJJBZgKJ/NKgXCsZ9uxH/Z4z02iWuezWrEosOVBnNB0uG3GK9naquZB MhwZdy5T5WUVPBzqkskEC/8VZ0bwndPng+NkvAMMtBFGPRI0ORwBcalw0 A6FnP+p5PlElSAP+h8bVHQgexTHR22B4AfxUHu/oWr6m/gsGp4wYJSNh/ dzOoMfMbLYKbwxtVtxScfuL6sbhu0t7zmOl9qLiTdIH8/DluhDpIR/ipp i9C1S7hTl3TToukd3ThTH3sxfPmAY60P+ACsTC7ISFXcRkYF9jfNGlBm7 Q==;
- In-reply-to: <9e3dae6b-cd82-f308-1632-e3ac0de07ba9@stroeder.com>
- Ironport-sdr: HOYYs3CFTCzEGE1aucZPcQ4ghmsjdFGewvR+cp/KmJDe/yo35Nyo+eJl8A76VFbF1JtFyG3m+i kXtoiax/BsiA==
- Ironport-sdr: G6BePpeg9/TvW0GGQaXEkZq+ZU0k35DgUs/ga6qtoGYbIk87ji1g2+t7+2vkwVzHEcNOVelqy1 fcmcAz+iB2/w==
- References: <LEJPR01MB017032248F597DFB218E2B94D03E0@LEJPR01MB0170.DEUPRD01.PROD.OUTLOOK.DE> <13EAABA2D0CBE9297CA74B75@[192.168.1.144]> <9e3dae6b-cd82-f308-1632-e3ac0de07ba9@stroeder.com>
- Thread-index: AdXGNU8z0aQAoYK5RtWOCqVNm+W4AwAGS68AAB8IaAAADFNn8A==
- Thread-topic: structural objectclass checking
Thanks Michael for that idea. But that would mean to assign that new group to every entry that has 2 structural objectclasses today, wouldn't it?
So it would require me to change the upstream data e.g. replace posixGroup by aeGroup and remove groupOfURLs (to stick with your example) and the application as there's applications to search for e.g.
&(objectclass=posixGroup)(objectclass=groupOfURLs).
And I would need to fix future entries on the fly (rwm module in replication??)
Guess that won't work out, possibly still easier to work around this in the source code.
Any opinions on that from people to know the source better than I do ?
Best regards
Markus
> -----Original Message-----
> From: Michael Ströder <michael@stroeder.com>
> Sent: Thursday, January 9, 2020 9:56 AM
> To: Storm, Markus <Markus.Storm@t-systems.com>; openldap-
> technical@openldap.org
> Subject: Re: structural objectclass checking
>
> On 1/8/20 7:07 PM, Quanah Gibson-Mount wrote:
> > --On Wednesday, January 8, 2020 3:25 PM +0000
> > Markus.Storm@t-systems.com
> > wrote:
> >
> >> is there a way to disable OpenLDAP checking entries for existence of
> >> STRUCTURAL objectclasses?
> >
> > No. This is a hard requirement. The best option would be to fix the
> > bad data in your upstream system.
>
> One possibility to fix this:
> Define a new STRUCTURAL object class derived from different other
> STRUCTURAL object classes.
>
> E.g. in Æ-DIR I'm using this to provide hybrid posixGroup entries serving RFC
> 2307 and RFC 2307bis groups:
>
> ( 1.3.6.1.4.1.5427.1.389.100.6.1
> NAME 'aeGroup'
> DESC 'AE-DIR: Group entry'
> SUP ( groupOfEntries $ posixGroup $ groupOfURLs $ aeObject )
> STRUCTURAL
> MUST description
> MAY ( aeMemberZone $ aeDept $ aeLocation ) )
>
> This works because unlike other LDAP directory servers OpenLDAP supports
> multiple class inheritance.
>
> Ciao, Michael.