[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Why is LDAP so complex?



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Bibbs

> OK, I'm a bit frustrated with LDAP...partly because sometime I rush
> things and make stupid mistakes but also in part by LDAP being much more
> complicated than I think it should be.

> Has anyone thought to write a set of programs that turns the cryptic
> LDAP syntaxes into more of a usable system?
>
> For example, LDIF files are a joke to me.  Maybe I should rest assured
> knowing that understanding them now affords me a degree of job security
> but why not simplify it.  Here's an example of what I'd like to see
> happen
>
> Take this example (taken right from the openldap quick-start guide)
>
> dn: dc=example,dc=com
> objectclass: dcObject
> objectclass: organization
> o: Example Company
> dc: example
>
> dn: cn=Manager,dc=example,dc=com
> objectclass: organizationalRole
> cn: Manager
>
> Why not create a simple object'ish language that allows all that to be
> defined as follows:
>
> $myentry1 = New LDAP_ENTRY("example.com");
> $myentry1.InheritClass("dcObject");
> $myentry1.InheritClass("organization");
> $myentry1.o = "Example Company";
> $myentry1.dc ="example";
> $myentry1.add();
>
> $myentry2 = New LDAP_ENTRY("manager.example.com");
> $myentry2.InheritClass("organizationalRole");
> $myentry2.cn = "Manager";
> $myentry2.add();
>
> The idea here is that the above could be ran through some sort of LDAP
> interpreter that would then checks syntaxes and give more useful
> messages (errors or otherwise) that aid in deploying LDAP

Maybe it's just me, but that looks like about twice as much text and
still no simpler.

> Similarly something needs to be done about object class definitions.
>
> Specifically I shouldn't have to put 1.3.6.1.4.1.1466.115.121.1.27 for
> integer data types but, rather, LDAP_INT (they already did something
> like this for matching rules, why not for data types?).

Two comments here - the original X.500 spec used text names for data types.
The type names (syntaxes, actually) were intrinsic to the ASN.1 specification.
Something was lost in the translation to LDAP. Also, types had no OIDs in the
original X.500 spec (but they do now).

I wish the LDAP specs had been written with meaningful text names from the
start, but it's too late for that now. In the meantime, I introduced OID macros
in slapd to address this very problem. I personally believe it makes things a
lot more readable and human-friendly but they're not used much because they're
non-standard. For your example, try

objectIdentifier LDAP_INT 1.3.6.1.4.1.1466.115.121.1.27

and then feel free to use LDAP_INT in the rest of your schema definitions.

> Again, that would be 10 times more readable, easier to use and let's me
> worry about solving my problem with LDAP and not so much with LDAP
> itself.
>
> Ok, I'm done ranting.
>
> --Tony

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support