Attribute Description Hierarchies and Policy Administration

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Steven Legg, Jim McMeeking, and I had a brief discussion regarding how
attribute descriptions hierarchies affect policy administration.
ldapbis-models was a bit unclear. We came up with the following
text for section 2.5.3 (replacing portions discussing subschema
and other policy administration) which should clarifying this.

  For the purpose of subschema administration of the entry, a required
  attribute requirement is fulfilled if the entry contains a value
  of an attribute description belonging to an attribute hierarchy if   
  the attribute type of that description is the same as the required
  attribute's type.  That is, a "MUST name" requirement is fulfilled
  by 'name' or 'name;x-tag-option', but is not fulfilled by 'CN' nor 
  by 'CN;x-tag-option'.  Likewise, an entry may contain a value of 
  an attribute description belonging to an attribute hierarchy if the
  attribute type of that description is either explicitly included
  in the definition of an object class to which the entry belongs or 
  allowed by the DIT content rule applicable to that entry permits   
  it.  That is, 'name' and 'name;x-tag-option' are allowed by "MAY 
  name" (or by "MUST name"), but 'CN' and 'CN;x-tag-option' are not        
  allowed by "MAY name" (nor by "MUST name").

  For the purposes of other policy administration, unless stated  
  otherwise in the specification of particular administrative model,  
  all of the attribute descriptions in an attribute hierarchy are  
  treated as distinct and unrelated descriptions.

Comments?

Kurt