[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3432) back-sql enhancements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3432) back-sql enhancements
From: Kurt@OpenLDAP.org
Date: Mon, 3 Jan 2005 16:04:25 GMT

At 07:01 AM 1/3/2005, adamson@andrew.cmu.edu wrote:
>Example:
>An LDAP database has an entry "cn=adamson,dc=cmu,dc=edu"  of objectClass 
>"posixAccount", which has a subclass "cmuAccount" and the entry already 
>matches all of the MAY and MUST directives of the schema for both cmuAccount 
>and posixAccount.  Now the server receives this LDIF:
>
>   dn: cn=adamson,dc=cmu,dc=edu
>   changetype: modify
>   replace: objectClass
>   objectClass: cmuAccount
>   -
>
>what should the server do?

Making this change would violate the directory information
model, hence objectClassViolation would normally be returned.

However, in talking with some X.500 DSA developers, administrators,
through use of the ManageDSAIT extension, perform such updates.
That is, both a control and authorization to use it for this
purpose are needed.  I've been thinking about how to add this
capability to slapd(8).

>This patch #7 attempts to make the necessary changes in the RDBM to change the 
>objectClass of the entry.  If LDAP says that entries cannot change OC, then 
>yeah this is a bad patch.

Well, depending on how one checks for the control and authorization,
the patch might actually be okay.  Most of the checking should
well above the match (in object class violation checking routines).

We might move this discussion to -devel....

>    Thanks again for your time.
>
>
>        -Mark Adamson
>         Carnegie Mellon

Prev by Date: Re: (ITS#3432) back-sql enhancements
Next by Date: (ITS#3459) Selective replication producing extra blank lines that break replication
Index(es):
- Chronological
- Thread