Re: LDAPSubentries comments review and request for last call by LDAPEXT and LDUP working groups

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:24 PM 7/16/2001, Ed Reed wrote:
>So -  I'd like more comments on the administrative model.  Does it work for ACI as LDAPEXT is defining it?  Other applications than just LDUP?  I think it DOES work for LDUP (ie, managing replication areas).

I don't think it works for access controls, subschema,
collective attributes, and likely not for LDUP (consider
sparse replica).  Of course, my definition of "works"
may be quite different than yours.

ldapSubentry can only hold information associated with a subtree.
ldapSubentry, by design, cannot hold information associated with
a subtree refinement [X.501].

Consider a case where the administrator wishes to hold a set
of shared attributes for the collection of entries which are
immediately subordinate to a particular entry (but not the
particular entry).  This cannot be done using LDAPsubentries
as LDAPsubentries requires that each subordinate have a
separate subentry to hold the attributes.  As these attributes
are held in different subentries, they are not shared.  And
further subentries need to be created to break the inheritance
(as the information was to be shared between the immediate
subordinates).   And, of course, needed subordinates are not
automatically created/deleted upon add, delete, and rename.

I believe there is good operational experience from the X.500
community that a subentry subtree refinement mechanism is needed
to allow for effective administration of the Directory.  I
recommend we adapt X.500 subentries, including the subtree
specification mechanism, for use with LDAP.

Kurt