[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: new control for filtering dn attribute values based upon their object class

To: bobj@cup.hp.com
Subject: Re: new control for filtering dn attribute values based upon their object class
From: Ming Lang <mlang@cup.hp.com>
Date: Wed, 23 May 2001 09:51:39 -0700
Cc: Bruce Greenblatt <bgreenblatt@directory-applications.com>, ietf-ldapext@netscape.com
References: <NBBBKEFFEKGJCGHCFKENIEFAENAA.bob_joslin@hp.com>

Hi All,

I did not follow the whole discussion.
However, Bob's idea can be done cleanly by "Filtered Role", a
iDS5.0 feature.

Ming

Bob Joslin wrote:

> Hi Bruce,
>
> Looks like a useful control (we have applications that may need to deal with
> DNs based membership.)  But I thought I'd throw in a curve ball...
>
> It seems that the purpose of the control is so that the client application
> can quickly filter through the DNs and examine only the ones that it is
> interested in.  So, instead of returning a list of objectclass values in the
> search results, would it make sense instead to pass in an ldap filter in the
> control.  The control then causes the server to only return the DNs that
> pass that filter?  So to follow your example, the filter would be
> "(objectclass=strongAuthenticationUser)".  And only those DNs that are of
> that OC would be returned.
>
> Food for thought.
>
> Bob Joslin
> Hewlett-Packard Company.
>
> > -----Original Message-----
> > From: Bruce Greenblatt [mailto:bgreenblatt@directory-applications.com]
> > Sent: Tuesday, May 22, 2001 10:45 AM
> > To: ietf-ldapext@netscape.com
> > Subject: new control for filtering dn attribute values based upon their
> > object class
> >
> >
> > I've defined a new control which is the result of helping several
> > customers
> > with their ldap enabled applications.  They often end up with
> > entries that
> > have attributes that have long lists of distinguished names as their
> > values.  Groups and mailing lists are object classes that unfortunately
> > often end up this way.  Independent of my views on whether it is a good
> > idea to have a zillion values in a single attribute, customers' DITs have
> > them, and they are reluctant to change the DIT.  There are many problems
> > that result from this scenario.  This draft defines a control that solves
> > one of them.  The problem in question arises when the dns in the
> > attribute
> > values refer to entries of several different object classes.
> >
> > http://search.ietf.org/internet-drafts/draft-greenblatt-dn-type-00.txt
> >
> > One good example of how this control would be used is for the
> > retrieval of
> > only those dn values which refer to an entry that has a certificate (i.e.
> > has the strongAuthenticationUser object class).  Additionally,
> > this control
> > also allows the client to request that the ldap server "tag" each
> > returned
> > dn attribute value with the object class(es) of the entry to which it
> > refers.  Comments welcome.
> >
> > Bruce
> >
> >
> > ==============================================
> > Bruce Greenblatt, Ph. D.
> > Directory Tools and Application Services, Inc.
> > http://www.directory-applications.com
> >

Follow-Ups:
- Re: new control for filtering dn attribute values based upon their object class
  - From: Ming Lang <mlang@cup.hp.com>

References:
- RE: new control for filtering dn attribute values based upon their object class
  - From: "Bob Joslin" <bob_joslin@hp.com>

Prev by Date: HOT PLAY: FXGP (otcbb) $0.74 !!!!
Next by Date: Re: new control for filtering dn attribute values based upon theirobject class
Index(es):
- Chronological
- Thread