[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: new control for filtering dn attribute values based upon their object class

To: "Bruce Greenblatt" <bgreenblatt@directory-applications.com>, <ietf-ldapext@netscape.com>
Subject: RE: new control for filtering dn attribute values based upon their object class
From: "Bob Joslin" <bob_joslin@hp.com>
Date: Tue, 22 May 2001 15:22:56 -0700
Importance: Normal
In-reply-to: <5.1.0.14.0.20010522103124.00aa1b88@pop.walltech.com>

Hi Bruce,

Looks like a useful control (we have applications that may need to deal with
DNs based membership.)  But I thought I'd throw in a curve ball...

It seems that the purpose of the control is so that the client application
can quickly filter through the DNs and examine only the ones that it is
interested in.  So, instead of returning a list of objectclass values in the
search results, would it make sense instead to pass in an ldap filter in the
control.  The control then causes the server to only return the DNs that
pass that filter?  So to follow your example, the filter would be
"(objectclass=strongAuthenticationUser)".  And only those DNs that are of
that OC would be returned.

Food for thought.

Bob Joslin
Hewlett-Packard Company.

> -----Original Message-----
> From: Bruce Greenblatt [mailto:bgreenblatt@directory-applications.com]
> Sent: Tuesday, May 22, 2001 10:45 AM
> To: ietf-ldapext@netscape.com
> Subject: new control for filtering dn attribute values based upon their
> object class
>
>
> I've defined a new control which is the result of helping several
> customers
> with their ldap enabled applications.  They often end up with
> entries that
> have attributes that have long lists of distinguished names as their
> values.  Groups and mailing lists are object classes that unfortunately
> often end up this way.  Independent of my views on whether it is a good
> idea to have a zillion values in a single attribute, customers' DITs have
> them, and they are reluctant to change the DIT.  There are many problems
> that result from this scenario.  This draft defines a control that solves
> one of them.  The problem in question arises when the dns in the
> attribute
> values refer to entries of several different object classes.
>
> http://search.ietf.org/internet-drafts/draft-greenblatt-dn-type-00.txt
>
> One good example of how this control would be used is for the
> retrieval of
> only those dn values which refer to an entry that has a certificate (i.e.
> has the strongAuthenticationUser object class).  Additionally,
> this control
> also allows the client to request that the ldap server "tag" each
> returned
> dn attribute value with the object class(es) of the entry to which it
> refers.  Comments welcome.
>
> Bruce
>
>
> ==============================================
> Bruce Greenblatt, Ph. D.
> Directory Tools and Application Services, Inc.
> http://www.directory-applications.com
>

Follow-Ups:
- Re: new control for filtering dn attribute values based upon their object class
  - From: Ming Lang <mlang@cup.hp.com>
- RE: new control for filtering dn attribute values based upon their object class
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

References:
- new control for filtering dn attribute values based upon their object class
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

Prev by Date: new control for filtering dn attribute values based upon their object class
Next by Date: FWD:Never be surprised by your long distance bill again !!
Index(es):
- Chronological
- Thread