[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Change of name forms and DIT structure rules when renaming an entry

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Change of name forms and DIT structure rules when renaming an entry
From: Steven Legg <steven.legg@eb2bcom.com>
Date: Fri, 22 Aug 2008 16:09:11 +1000
Cc: ietf-ldapbis@openldap.org
In-reply-to: <48AD2119.7080801@stroeder.com>
References: <48A976A7.5050600@stroeder.com> <48AB5E0E.5020402@eb2bcom.com> <48AD2119.7080801@stroeder.com>
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)


Michael,

Michael Ströder wrote:

Steven,
I really appreciate your comment.
Steven Legg wrote:
Michael Ströder wrote:
when displaying an input form for renaming an entry I'd like to let the user search for possible new superior DNs. If applicable I'd like to construct the search filter derived from applicable DIT structure rules. So the question is how to find the structural object classes which are allowed for superior entries.

X.501 (1993) section 12.6.5 says: "Each object and alias entry is governed by a single DIT structure rule."

Currently I determine the governing structure rule by looking up the best matching name form for 1. the structural object class and 2. the current old RDN.
In general, you also need the governingStructureRule of the current
superior entry,
You mean I could derive the possible structural object class from the governingStructureRule of the superior entry?


I was just making the point that an entry's governingStructureRule also
depends on the governingStructureRule of its superior. However, you don't
need to know the current governingStructureRule of the entry or its superior.

> Hmm, there could be more

possible structural object classes of superior entries.

but it is easier to just look at the governingStructureRule
of the entry to be moved.


That's how I currently implemented it.

Ultimately though, the governingStructureRule
of the entry to be moved doesn't matter.

...because the RDN could also change...


... because it only tells you about one valid possibility for a new
superior. There can be others. Clearly, the entry could be moved
under any new superior (in the same subschema administrative area)
that has the same governingStructureRule as its old superior, provided
the moving entry's naming attributes are not changed, because the
structural object class, name form and superior entry
governingStructureRule will all be the same in the new location.
If the moving entry was schema-valid before the move it will be
schema-valid after the move. By examining the name forms and structure
rules in the schema it is possible to work out what other
possibilities are valid, but they may necessitate a change to the
naming attributes and may cause the governingStructureRule of the moved
entry to change. The current governingStructureRule of the entry
to be moved doesn't affect what's a valid possibility and what's not.

The possibilities in the schema boil down to a collection of pairs
where the first item is an acceptable governingStructureRule value
for a new superior and the second item is an acceptable name form
for the entry to be moved, i.e., the first item tells you where the entry
can go and the second item tells you whether the RDN needs to change.

> Then I can derive the possible superior structure rules
and lookup the superior structural object classes via the accompanying name forms.

But now I wonder what to do in case the user wants to change the RDN together with a new superior DN in one rename operation? From my understanding changing the RDN could lead to another governing structure rule. Is that right?
Yes, it could. In the general case the structural object class of the
entry being renamed/moved would permit a number of candidate name
forms, each with its own set of mandatory and optional naming
attributes. For each name form, the structure rules specify the
permitted governingStructureRule values for the new superior entry of
the entry being renamed/moved. The structuralObjectClass of the
superior entries doesn't come into it directly, but can be determined
 from the name form associated with the structure rule corresponding
to each of the permitted values for the governingStructureRule of the
new superior.
I could sort this out since I already have working code for determining the current name form of an entry and for determining the governingStructureRule. Not sure how to come up with a good user interface for that though.

Thinking about this a little bit more I came up with another difficulty: The new superior DN might reside in a part of the DIT where another subschema is defined. So this is a real blocker.


It means that the search filter is only valid within the scope of the
subschema used to form it. It's rare for a single server to have more than
one subschema area, so you could make that simplifying assumption, but in
the more general case it means emitting one search for each subschema area
the client knows about. It would help to ask for the subschemaSubentry to be
returned so that matched entries that are not in the expected subschema area
can be detected and ignored. Depending on the server implementation, you
might be able to put a subschemaSubentry equality assertion in the search
filter.

If you allow the user to select the new superior first, then that will constrain which name forms are available to rename the entry. If you allow the user to rename the entry first (explicitly or implicitly selecting one of the applicable name forms), then that will constrain which new superior entries are available.
Yes. But the problem is that it might be necessary for the user to change both in one rename operation.


I was assuming one operation, but allowing that it might be put together
in a multi-step interaction at the user interface. Which step the user
takes first constrains what can be done on the second step, but it isn't
until after the second step that the "save" button gets clicked.

Presenting the user with a list of (superior DN, eligible naming attribute
types) pairs to choose from would be one way of combining both steps in a single
action. Of course, if the naming attribute types in the selection are different
from the current naming attributes, the user interface should enter a screen
to have the user edit them before allowing the operation to be submitted.

> From my understanding changing the

name form could lead to the situation where the old superior is not valid anymore.


Correct.

This all gets very hairy. At the moment I can't imagine a user interface which really helps the user to do the right thing without the user knowing a lot about how DIT structure rules and name forms work.


The governing structure rules are determined by structural object classes
and name forms. A name form is basically a set of naming attributes, so
the object class and "what attributes are used for naming" are all that
the user really needs to be exposed to.

I will take a simpler approach with client-side configuration. Probably I will display a pre-configured select list of named LDAP URLs for searching the new superior entries. This would also work with servers which don't support DIT structure rules and name forms.


Whether or not you get back governingStructureRule is probably an accurate
test of whether the server supports structure rules and name forms.

Regards,
Steven

Ciao, Michael.

References:
- Change of name forms and DIT structure rules when renaming an entry
  - From: Michael Ströder <michael@stroeder.com>
- Re: Change of name forms and DIT structure rules when renaming an entry
  - From: Steven Legg <steven.legg@eb2bcom.com>
- Re: Change of name forms and DIT structure rules when renaming an entry
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Change of name forms and DIT structure rules when renaming an entry
Next by Date: IETF#73 LDAP BOF Proposal
Index(es):
- Chronological
- Thread