[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: new control for filtering dn attribute values based upon their object class

To: bobj@cup.hp.com, Bruce Greenblatt <bgreenblatt@directory-applications.com>, ietf-ldapext@netscape.com
Subject: Re: new control for filtering dn attribute values based upon their object class
From: Ming Lang <mlang@cup.hp.com>
Date: Wed, 23 May 2001 14:50:20 -0700
References: <NBBBKEFFEKGJCGHCFKENIEFAENAA.bob_joslin@hp.com> <3B0BEA9A.697F00C6@cup.hp.com>

Sorry folks,

Please ignore my comments. I thought this was
a little discussion in our project.
Sorry for the confusion :-}


Ming Lang wrote:

> Hi All,
>
> I did not follow the whole discussion.
> However, Bob's idea can be done cleanly by "Filtered Role", a
> iDS5.0 feature.
>
> Ming
>
> Bob Joslin wrote:
>
> > Hi Bruce,
> >
> > Looks like a useful control (we have applications that may need to deal with
> > DNs based membership.)  But I thought I'd throw in a curve ball...
> >
> > It seems that the purpose of the control is so that the client application
> > can quickly filter through the DNs and examine only the ones that it is
> > interested in.  So, instead of returning a list of objectclass values in the
> > search results, would it make sense instead to pass in an ldap filter in the
> > control.  The control then causes the server to only return the DNs that
> > pass that filter?  So to follow your example, the filter would be
> > "(objectclass=strongAuthenticationUser)".  And only those DNs that are of
> > that OC would be returned.
> >
> > Food for thought.
> >
> > Bob Joslin
> > Hewlett-Packard Company.
> >
> > > -----Original Message-----
> > > From: Bruce Greenblatt [mailto:bgreenblatt@directory-applications.com]
> > > Sent: Tuesday, May 22, 2001 10:45 AM
> > > To: ietf-ldapext@netscape.com
> > > Subject: new control for filtering dn attribute values based upon their
> > > object class
> > >
> > >
> > > I've defined a new control which is the result of helping several
> > > customers
> > > with their ldap enabled applications.  They often end up with
> > > entries that
> > > have attributes that have long lists of distinguished names as their
> > > values.  Groups and mailing lists are object classes that unfortunately
> > > often end up this way.  Independent of my views on whether it is a good
> > > idea to have a zillion values in a single attribute, customers' DITs have
> > > them, and they are reluctant to change the DIT.  There are many problems
> > > that result from this scenario.  This draft defines a control that solves
> > > one of them.  The problem in question arises when the dns in the
> > > attribute
> > > values refer to entries of several different object classes.
> > >
> > > http://search.ietf.org/internet-drafts/draft-greenblatt-dn-type-00.txt
> > >
> > > One good example of how this control would be used is for the
> > > retrieval of
> > > only those dn values which refer to an entry that has a certificate (i.e.
> > > has the strongAuthenticationUser object class).  Additionally,
> > > this control
> > > also allows the client to request that the ldap server "tag" each
> > > returned
> > > dn attribute value with the object class(es) of the entry to which it
> > > refers.  Comments welcome.
> > >
> > > Bruce
> > >
> > >
> > > ==============================================
> > > Bruce Greenblatt, Ph. D.
> > > Directory Tools and Application Services, Inc.
> > > http://www.directory-applications.com
> > >

References:
- RE: new control for filtering dn attribute values based upon their object class
  - From: "Bob Joslin" <bob_joslin@hp.com>
- Re: new control for filtering dn attribute values based upon their object class
  - From: Ming Lang <mlang@cup.hp.com>

Prev by Date: Re: new control for filtering dn attribute values based upon theirobject class
Next by Date: RE: new control for filtering dn attribute values based upon their object class
Index(es):
- Chronological
- Thread