[Date Prev][Date Next] [Chronological] [Thread] [Top]

subschemaSubentry within the root DSE



As discussed previously (LDAPext, LDAPbis lists), RFC 2251
Section 3.4 use of subschemaSubentry is significantly flawed.

The following attributes of the root DSE are defined in section 5 of
[5].  Additional attributes may be defined in other documents.  
  ...
   - subschemaSubentry: subschema entries (or subentries) known by this
     server.

The subschemaSubentry attribute, like all other subschemaSubentry,
should provide the name of the entry (or subentry) containing
the subschema controlling the entry.  That is, the
subschemaSubentry attribute contained in the root DSE should
refer to the particular subschema subentry containing the
subschema controlling the root DSE itself.

I note that 3.4 use calls for the subschemaSubentry to be used
in a manner which is clearly inconsistent with the primary use
of subschemaSubentry [and its description (as single-valued and
directoryOperation)].

Hence, I suggest the following changes be made to RFC 2251:

The 3.4 text:
   - subschemaSubentry: subschema entries (or subentries) known by this
     server.

be replaced with:
   - subchemaSubentry: the name of the subschema entry containing the
	schema controlling the root DSE.

The 3.4 text:
   If the server does not master entries and does not know the locations
   of schema information, the subschemaSubentry attribute is not present
   in the root DSE.  If the server masters directory entries under one
   or more schema rules, there may be any number of values of the
   subschemaSubentry attribute in the root DSE.

be deleted.

Section 6.2 text:
   The client can retrieve the subschema entries referenced by
   the subschemaSubentry attribute in the server's root DSE or
   in entries held by the server.

be replaced with:
   The client can obtain the name of the subschema entry (or
   subentry) controlling a particular entry by retrieve that
   entry's subschemaSubentry attribute.

These changes make the use of subschemaSubentry attribute consistent
throughout the LDAP technical specification and with X.500.

The addition of a note that LDAP does not address the subschema
chicken and egg problem (discovery of schema controlling a yet
to be added entry at the root of a subschema administrative
area) might be also be appropriate.

Kurt