[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: modifying top

To: ietf-ldapext@netscape.com, Bruce Greenblatt <bgreenblatt@dtasi.com>
Subject: Re: modifying top
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
Date: Tue, 15 Jun 1999 21:19:54 +0100
In-reply-to: <3.0.6.32.19990613234151.00910100@pop.walltech.com>
Organization: University of Salford
Resent-date: Tue, 15 Jun 1999 13:17:14 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"8KVmJD.A.D7F.9SrZ3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Date forwarded: 	Sun, 13 Jun 1999 23:41:54 -0700 (PDT)
Date sent:      	Sun, 13 Jun 1999 23:41:51 -0700
To:             	ietf-ldapext@netscape.com
From:           	Bruce Greenblatt <bgreenblatt@dtasi.com>
Subject:        	modifying top
Forwarded by:   	ietf-ldapext@netscape.com

> Here's the explanation that I use for LDAP servers that modify the top
> object class.  It may be a little convuluted, but it satisfies conformance
> concerns (at least to me).

Unfortunately where this falls down is if subschema publishing is 
supported in the subschema subentry (which it should be for 
LDAPv3). When a remote server wishes to read the new subschema 
definitions it will find that it does not exist and top has in fact been 
redefined (or alternatively that the long convoluted explanation that 
you went into is in fact reality and that this invisible auxiliary object 
class does exist, and then all is fine.)

David


> 
> From my  perspective the LDAP servers only appear to modify the top object
> class, but in reality they don't.  Let's use the Netscape DS as an
> example.
>  All objects that are contained in the DS database have both the
> objectClass attribute and the ACI attribute.  They get the objectClass
> attribute from the top object class.  They get the ACI attribute by virtue
> of the fact that every object created in DS also a member of the hidden
> auxiliary object class netscapeTop.  This object class value is hidden
> because nobody normally has sufficient access rights to see this
> particular value of the objectClass attribute.  The netscapeTop auxiliary
> object class has the one attribute type ACI.  Thus, Netscape hasn't
> modified top at all, they've made use of the auxiliary object class
> mechanism in a very standard way.
> 
> Bruce
> 
> 


***************************************************

David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
*NEW* Mobile +44 790 167 0359 *NEW*
Email D.W.Chadwick@iti.salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************

Follow-Ups:
- RE: modifying top
  - From: Kim Fenley <kfenley@ozemail.com.au>

References:
- modifying top
  - From: Bruce Greenblatt <bgreenblatt@dtasi.com>

Prev by Date: ID on compound (families) of entries
Next by Date: Re: I-D ACTION:draft-chadwick-pkixldap-v3-00.txt
Index(es):
- Chronological
- Thread