[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP UID as a naming attribute for persons?

To: 'Ed Reed ' <ED_REED@novell.com>, 'Mark Smith ' <mcs@netscape.com>
Subject: RE: LDAP UID as a naming attribute for persons?
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Sun, 27 Sep 1998 07:43:47 +1000
Cc: "'ietf-ldapext@netscape.com '" <ietf-ldapext@netscape.com>
Resent-date: Sat, 26 Sep 1998 14:46:47 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"0I6uR.0.Pz2.53M3s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

UIDS are usually applied to single server systems and in a local
context.
In a distributed name based, shared, large scale directory system they
are unfriendly and should not be recommended. It really depends if you
want your directory for internal use only or relate information to real
entities in the real world.

My advise is dont use them as the only name attribute in an RDN.

regards alan 

----------
From: Mark Smith
To: Ed Reed
Cc: ietf-ldapext@netscape.com
Sent: 9/26/98 2:53:05 AM
Subject: Re: LDAP UID as a naming attribute for persons?

Ed Reed wrote:
> 
> I've just been talking with our developers, who inform me that they're
seeing
> a number of LDAP add operations come through in imports and direct
operations
> from other vendor's products that use uid as a naming attribute for
persons.
> 
> Could someone please point me to the naming rules which support the
use of uid
> OR CN as naming attributes for any assortment of internet persons?  I
must have
> missed the issued standard.

I don't know of any LDAP standards (or proposals) that impose
restrictions on how entries can be named.  Most of Netscape's products
default to using uid (user id) to form the RDN of people entries.  We
did this at the request of our customers who find cn's hard to manage
for uniqueness. A lot of sites typically need to assign unique user ids
(e.g., "mcs") for other purposes such as login and e-mail, so they are a
natural choice to use for a person's RDN.

> Further, the semantic interpretation of the uid attribute seems to be
- perform
> a search for all objects within some subtree (unclear what the
definition is)
> to verify that there are no entries with this uid value alread
instantiated.
> Is that correct?  Where is THAT documented?  I'd just like to be sure
we're
> implementing the algorithm as specified, and not just making something
up
> that may not work with all the rest of the world.

Performing such a search might be done to help administrators enforce a
policy that says "I want all uids within a subtree to be unique." 
Whether someone wants that behavior or not seems like a local matter to
me.

-- 
Mark Smith
Netscape Communications Corp. / Directory Server Engineering
"Got LDAP?"

Prev by Date: Re: draft minutes from Chicago meeting
Next by Date: Re: draft minutes from Chicago meeting
Index(es):
- Chronological
- Thread