RE: More on DIT content rules

["Volpers, Helmut" <helmut.volpers@siemens.com>]

Title: Message

Jim, I agree with you that it is nice for the server to control which objects can have which auxiliary ObjectClasses.

It is the same for DITStructureRules, it is a nice thing that the server (administrator) control the tree. We have implemented

this since years, but there are a lot of applications which needs the feature that I can give to a special object

a auxiliary ObjectClass and then I can give a new set of attributes to this entry.

That's the way the most LDAPServers works today.

If you will be more restrictive by stronger schema checks you will break some applications where we hve to

decide whether we want that.

I think we should let it optional whether a server checks against DitContentRules and DitStructureRules.

 

Helmut

 

A lot of products delivers LDIF files for  the schema extensions they need and the most of them only delivers

AttributeTypes and ObjectClasses and it works.

-----Original Message-----
From: Jim Sermersheim [mailto:jimse@novell.com]
Sent: Thursday, October 30, 2003 3:50 PM
To: ietf-ldapbis@OpenLDAP.org
Subject: Re: More on DIT content rules

Maybe I'm strange, but I like it. It allows server implementations to use this mechanism to control and advertise things such as which objects to expect what operational attributes to be available.

 

I don't doubt that as things progress, some implementations will auto-add certain DIT content rules to certain types of object classes when they are added. As well as perhaps invent other mechanisms that make the addition of aux classes more seamless than it would seem on the surface.

 

Jim

>>> John McMeeking <jmcmeek@us.ibm.com> 10/30/03 6:17:54 AM >>>




I think the equivalent statements from X.501 are:

----------
If no DIT content rule is present for a structural object class, then
entries of that class shall contain only the attributes
permitted by the structural object class definition.

An entry governed by a DIT content rule may, in addition to the structural
object class of the DIT structure rule, be
associated with a subset of the auxiliary object classes identified by the
DIT content rule. This association is reflected in
the entrys objectClass attribute.
----------

That does seem to say that if there is no DIT content rule, the entry
cannot belong to any auxiliary object classes. And it does seem strange to
me.


John McMeeking




"Jim Sermersheim"
< jimse@novell.com > To: < ietf-ldapbis@OpenLDAP.org >
Sent by: cc:
owner-ietf-ldapbis@O Subject: Re: More on DIT content rules
penLDAP.org


10/29/2003 07:54 PM







Actually, what's being documented here has always been true. Most of the
text is being pulled in part or whole (summarized or not) from X.501.
Previously, one had to find these statements by reading hte ITU documents.

Jim

>>> Michael Ströder < michael@stroeder.com > 10/29/03 10:34:10 AM >>>
HI!

Still browsing through draft-ietf-ldapbis-models-09...

In section 2.4.3 there's written:

[..] If no DIT content rule is associated with
the structural object class of the entry, the entry cannot belong to
any auxiliary object class.

I don't understand this statement. Shouldn't the 'cannot' be 'can'?

From section 4.1.6.:

MUST, MAY, and NOT specify lists of attribute types which are
required, allowed, or precluded, respectively, from appearing in
entries subject to this DIT content rule; and
<extensions> describe extensions.

I'm a little bit scared of 'MUST' and 'MAY' extending the 'MUST' and 'MAY'
of object classes. I consider this being redundant to schema design with
object classes. Personally I'd appreciate a hint in the text stating that
use of 'MUST' and 'MAY' in a DIT content rules is NOT RECOMMENDED since
clients or servers might not support DIT content rules. Well, such a hint
might be a little too much in the direction of a best practice guide.

Ciao, Michael.