Re: ActiveDirectory schema

[Mark Wahl <M.Wahl@INNOSOFT.COM>]

> Mind you, surely one aci attribute (for which there's
> a fairly good reason to add to "top") is less of
> a crime than a whole page of random attributes ?

The only entities which can choose to add new attributes to an 
object class with top's OID is the ITU/ISO.  The ITU/ISO 
provide THREE different techniques that vendors/deployers are 
free to use that allow them to have additional attributes in 
all objects without violating the standards.  These include:
 - the auxiliary object class (since 1988),
 - schema content/structural rules (since 1993),
 - operational attributes (since 1993)

For example, the Innosoft directory server product allows access
control attributes to be present in entries, but does so by 
defining attributes such as subtreeACL as directoryOperational 
attributes that users (in particular administrators) can 
modify.  Operational attributes are not necessary to be part of 
any object class definition to be present in an entry. 

It is impolite to break the ITU/ISO's spec by adding attribtes
to an object class whose semantics are foreign to that object 
class'es definition.  If a vendor has a grievance with the way the
object class is defined, they should present their complaint to 
the appropriate people writing the spec by filing a defect report form.
(Your national standards body representative has contact details.) 
This would allow both sides to discuss the definition of the object
class and perhaps agree on a new object class that would supplant
the old one.

Mark Wahl, Directory Product Architect
Innosoft International, Inc.