[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap newbie

To: Yonah Russ <yonah@jct.ac.il>
Subject: Re: ldap newbie
From: Adam Williams <adam@morrison-ind.com>
Date: 10 Oct 2002 11:12:15 -0400
Cc: openldap <openldap-software@OpenLDAP.org>
In-reply-to: <1034251157.27638.243.camel@p-yonah>
References: <1034166480.27638.132.camel@p-yonah> <1034178823.27655.159.camel@p-yonah> <1034243257.29763.16.camel@estate1.whitemice.org> <1034251157.27638.243.camel@p-yonah>

>>IMHO, all schemas should base themselves on the standard schemas,
>>wherever possible.  One of the points of LDAP is interoperability.  The
>>core schema are actually quite complete.
>I'm not sure what you mean by interoperability... I am hoping to
>complete this directory and then point a tacacs+ server at it to handle
>a lot of authentication... Most likely nothing except for the tacacs
>server and the net admins will ever access the directory directly.
> If you are telling me that tacacs won't be able to understand my

It depends upon the specific TACAS server.

>"home-brewed" schema, then please tell me b/c I will go back and rework
>the directory... on the other hand, If you mean that outlook clients
>won't be able to use it as an addressbook, I'm not so worried.

Ok.  I always assume that tomorrow the system will want to do something
I didn't for see today.  The power of LDAP really is to place all the
"crap": users, groups, mail routing, access control, contacts,
preferences in one spot.

>I took this syntax from the open ldap documentation:
>http://www.openldap.org/doc/admin20/schema.html#Extending%20Schema
>QUOTE:===============================================
>attributeType ( 2.5.4.3 NAME
>                ( 'cn' $ 'commonName' ) SUP name )
>=====================================================
>If you are correct, it is just another example of the poor documentation
>IMHO

The schema files I'm looking at on my live LDAP server have no "$". 
Could be something has changed.  But poor documentation!  Never.... :)

>>>> attributetype ( jctAttrib:1 NAME ( 'jctMisparZehut' $ 'jctTZ' )
>>>>         DESC 'Identification Number associated with a person'
>>>>         EQUALITY numericStringMatch
>>>>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{32768}
>>>>         SINGLE-VALUE
>>>>)
>maybe those would work but the meaning here is a government provided id
>number (like a social security number in the USA) once again- the text
>name I used is much more user friendly
>>Why no uidNumber, or x500UniqueIdentifier, or uniqueIdentifier;
>>whichever is most appropriate.

I disagree on this one.  uidNumber is for posixAccount,  which are
always local.  And uniqueIdentifier is -

"The domain within which the identifier is unique, and the exact
semantics of the identifier, are for local definition.  For a person,
this might be an institution-wide payroll number.  For an organisational
unit, it might be a department code."

Follow-Ups:
- ldap adding new entery
  - From: "Sundaram Ramasamy" <sun@percipia.com>

References:
- ldap newbie
  - From: Yonah Russ <yonah@jct.ac.il>
- Re: ldap newbie
  - From: Yonah Russ <yonah@jct.ac.il>
- Re: ldap newbie
  - From: Adam Williams <awilliam@whitemice.org>
- Re: ldap newbie
  - From: Yonah Russ <yonah@jct.ac.il>

Prev by Date: How to add user, password and configure for TLS
Next by Date: how to get ldap_mod_rdn2_s while insatlling OpenLDAP
Index(es):
- Chronological
- Thread