[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Aliased value of attribute

To: aubert@iut-bm.univ-fcomte.fr
Subject: Re: Aliased value of attribute
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 29 May 2006 21:00:55 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <20060529152123.sbllw3xwfzesk4ko@webmail2.iut-bm.univ-fcomte.fr>
References: <20060529152123.sbllw3xwfzesk4ko@webmail2.iut-bm.univ-fcomte.fr>
User-agent: SquirrelMail/1.4.3a-1

> I use OpenLDAP since 2 months.

Might not be enough ;)

> I use it to manage users in order to
> authenticate to several applications.
> I added an multivalued attribute called "InetServ" which is in charge
> of giving access or not to one or another application or web service.
> Until today this attribute had Distinguished Name
> (1.3.6.1.4.1.1466.115.121.1.12) type. As the name of service can
> change, this solution is not satisfying since dn would become wrong in
> all entries containing the dn of the service.
> So I would like to know whether it is possible or not to modify the
> type of this attribute so that it could be an alias pointing to the
> value of an attribute containing the name of the service. Therefore if
> the name of the service change, I am not obliged to change it in all
> entries.
>
> This feature would be very useful.

LDAP (and OpenLDAP) lets you do whatever you want, but it's the client
that has to implement functionalities.  In your case, it's the client that
modifies the DN your entries reference to that should make sure reference
attributes do not break.  First of all, I don't see how you could get into
a problem like this: entry naming should be abstract enough to allow you
to avoid modifying the names of entries you need to refer to.  If you
really need to do that, and your clients aren't smart enough to take care
of reference attributes, you may want to try slapo-refint(5), an overlay
that tries to preserve referential integrity for you.  Note that I used
"tries" since the absence of transactions (atomicity, in this case)
doesn't guarantee that concurrent deletion or renaming of referenced
entries leaves the database in a consistent state.  This might be
available in future versions of OpenLDAP, where an extension called LDAP
transactions will be implemented.  If slapo-refint(5) is not enough for
your purposes, you may need to code yourself a more appropriate module
that exactly fits your needs.  But first of all I'd try to answer this
question: is this at all needed, or is the design of your
server+application flawed?

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- Aliased value of attribute
  - From: aubert@iut-bm.univ-fcomte.fr

Prev by Date: Aliased value of attribute
Next by Date: Gui for building acls ?
Index(es):
- Chronological
- Thread