[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: The correct behaviour of auxiliary object classes

To: Vincent.Ryan@Ireland.Sun.COM, ietf-ldapext@netscape.com, ldap@umich.edu
Subject: Re: The correct behaviour of auxiliary object classes
From: Brian Jarvis <BJARVIS@novell.com>
Date: Wed, 01 Mar 2000 19:47:10 -0700
Resent-date: Wed, 01 Mar 2000 18:47:36 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <J_xQx.A.W6.8Ydv4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Your understanding is correct.  To add an auxiliary class to an object you add it to Object Class and simultaneously add any mandatory attributes it has.  To remove an auxiliary class from an object, you delete it from Object Class.

I don't think we need to specify this behavior every place that defines an auxiliary class.  One place will be less confusing since the specifications invariably would differ.

>>> Vincent Ryan <Vincent.Ryan@Ireland.Sun.COM> 3/1/2000 07:06:26 >>>

I'm seeking clarification of how auxiliary object classes are
supposed to operate. My understanding of auxiliary object classes
is that they are designed to be mixed-in with structural object
classes when particular instances of a structural object class
need additional attributes. 

For example, 'strongAuthenticationUser' is an auxiliary class
defined in RFC 2256 and it mandates the 'userCertificate' attribute.
If I want to create an LDAP entry that is both an 'organizationalPerson'
and a 'strongAuthenticationUser' then I should specify both class
names in the object class attribute for the entry. In addition,
as 'sn' is mandatory for the 'organizationalPerson' class and
'userCertificate' is mandatory for the 'strongAuthenticationUser'
class then I must supply both of these attributes too.

Is my understanding correct? 

Should this behaviour be stated explicitly in the LDAP RFCs?

I notice that support for auxiliary classes in Windows 2000
Active Directory deviates from this behaviour. Auxiliary classes
are (permanently) associated with specific structural classes in
the Active Directory schema. The effect is that every instance of
a structural class must contain the mandatory attributes of all
of its associated auxiliary classes. That is, the auxiliary class
is associated with every instance of the structural class. In
addition, auxiliary class names must not appear as values of the
object class attribute of the instance of the structural class.

Can someone from Microsoft confirm that my description is correct?
(Or have I misunderstood how Active Directory operates.)

Do other LDAP server implementors support auxiliary classes differently?

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Brian Jarvis - Novell
TEL;WORK:801-861-3856
ORG:;NDS Administration
TEL;PREF;FAX:801-861-2292
EMAIL;WORK;PREF;NGW:BJARVIS@novell.com
N:Jarvis;Brian
TITLE:Software Engineer Senior
X-GWUSERID:BJARVIS
END:VCARD

Prev by Date: Start Taking Credit Cards
Next by Date: RE: Changelog entries draft. Do not seem to find it.
Index(es):
- Chronological
- Thread