new control for filtering dn attribute values based upon their object class

[Bruce Greenblatt <bgreenblatt@directory-applications.com>]

I've defined a new control which is the result of helping several customers 
with their ldap enabled applications.  They often end up with entries that 
have attributes that have long lists of distinguished names as their 
values.  Groups and mailing lists are object classes that unfortunately 
often end up this way.  Independent of my views on whether it is a good 
idea to have a zillion values in a single attribute, customers' DITs have 
them, and they are reluctant to change the DIT.  There are many problems 
that result from this scenario.  This draft defines a control that solves 
one of them.  The problem in question arises when the dns in the attribute 
values refer to entries of several different object classes.

http://search.ietf.org/internet-drafts/draft-greenblatt-dn-type-00.txt

One good example of how this control would be used is for the retrieval of 
only those dn values which refer to an entry that has a certificate (i.e. 
has the strongAuthenticationUser object class).  Additionally, this control 
also allows the client to request that the ldap server "tag" each returned 
dn attribute value with the object class(es) of the entry to which it 
refers.  Comments welcome.

Bruce


==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com