[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: new control for filtering dn attribute values based upon theirobject class

To: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Subject: Re: new control for filtering dn attribute values based upon theirobject class
From: mcs@netscape.com (Mark C Smith)
Date: Wed, 23 May 2001 13:32:26 -0400
Cc: ietf-ldapext@netscape.com
Organization: iPlanet E-Commerce Solutions
References: <5.1.0.14.0.20010522103124.00aa1b88@pop.walltech.com>

My initial reaction is that this would be quite useful to authors of
LDAP client applications.  But it would be challenging for a server
implementation to quickly return the information contained in the
DNObjectClassResponse control (there will be additional overhead for
these kinds of search requests or additional overhead for adds,
modifies, and deletes).

What is the most important problem you are trying to address from the
client perspective?  If it is that you need a way to determine if a
member within a groupOfNames object is another groupOfNames vs. a
different kind of entry (e.g., a person), a simpler solution would be to
define a new grouping mechanism that does not mix together nested group
DNs with other DNs.  This is in fact what iPlanet has done in their iDS
5.0 product with our new roles feature.

-Mark Smith
 Netscape

Bruce Greenblatt wrote:
> 
> I've defined a new control which is the result of helping several customers
> with their ldap enabled applications.  They often end up with entries that
> have attributes that have long lists of distinguished names as their
> values.  Groups and mailing lists are object classes that unfortunately
> often end up this way.  Independent of my views on whether it is a good
> idea to have a zillion values in a single attribute, customers' DITs have
> them, and they are reluctant to change the DIT.  There are many problems
> that result from this scenario.  This draft defines a control that solves
> one of them.  The problem in question arises when the dns in the attribute
> values refer to entries of several different object classes.
> 
> http://search.ietf.org/internet-drafts/draft-greenblatt-dn-type-00.txt
> 
> One good example of how this control would be used is for the retrieval of
> only those dn values which refer to an entry that has a certificate (i.e.
> has the strongAuthenticationUser object class).  Additionally, this control
> also allows the client to request that the ldap server "tag" each returned
> dn attribute value with the object class(es) of the entry to which it
> refers.  Comments welcome.
> 
> Bruce

Follow-Ups:
- Re: new control for filtering dn attribute values based upon theirobject class
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

References:
- new control for filtering dn attribute values based upon their object class
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

Prev by Date: Re: new control for filtering dn attribute values based upon their object class
Next by Date: Re: new control for filtering dn attribute values based upon their object class
Index(es):
- Chronological
- Thread