[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] objectIdentifierMatch

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: [ldapext] objectIdentifierMatch
From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 15 Feb 2006 12:04:41 -0800
Cc: Ldapext <ldapext@ietf.org>
In-reply-to: <7.0.1.0.0.20060215113928.0229cc58@OpenLDAP.org>
References: <43F30F1B.9060700@highlandsun.com> <7.0.1.0.0.20060215105339.0223cd88@OpenLDAP.org> <7.0.1.0.0.20060215113928.0229cc58@OpenLDAP.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060209 SeaMonkey/1.5a Mnenhy/0.7.3.0

Kurt D. Zeilenga wrote:

I note that in some cases OID and objectIdentifierMatch are
used where it would be more appropriate for the syntax/matching
rules for attribute descriptions to be used.  Attribute
descriptions allow language and other tags to be specified.

Unforunately, matching rules commonly used for attribute
descriptions do not deal with ambiguity in naming of attribute
types (cn v commonName v 2.5.4.3) as well as ambiguity
caused by ordering of attribute options.

So, we might consider designing robust 'attribute description'
syntax and matching rules (instead of or in addition to
an attribute type schema description extension).

That makes a lot more sense. We probably still need the schema extension to address the other uses.

Kurt
At 11:08 AM 2/15/2006, Kurt D. Zeilenga wrote:
At 03:23 AM 2/15/2006, Howard Chu wrote:
It seems this matching rule is rather difficult to use in practice,
with descriptor support, yes.
given that it's supposed to accept textual descriptors in addition to numeric OIDs, but there's no way for apps to know in what context the valid descriptors reside. (See http://www.openldap.org/its/index.cgi/Software%20Bugs?id=4025 for an example of how this affected our password policy implementation, ITS#4402 for another user tripping over it in an arbitrary schema.)
It's difficult to know whether a particular descriptor
unambiguously refers to a particular OID.  LDAP has always
allowed an OID to refer to different OIDs in different contexts.
I was thinking that using a new extension like e.g. X-NAMESPACE 'attr' to attribute definitions with this matching rule might help make things less ambiguous. Suggestions?
I'd prefer something like X-OID-CONTEXT than
X-NAMESPACE as the latter is not OID-specific.  And as values,
I would spell them out for clarity.  That is,
       X-OID-CONTEXT 'attributeTypes'
Of course, even descriptors naming a particular kind of object
may be ambiguous, like 'x-foo'.  This is why I suggested
'X-OID-CONTEXT' instead of 'X-OID-KIND'.  The term context
implies which kind of object is being named, but the source
of the names (for 'attributeTypes', the controlling schema).
Kurt
--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] objectIdentifierMatch
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] objectIdentifierMatch
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: [ldapext] objectIdentifierMatch
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [ldapext] objectIdentifierMatch
Next by Date: Re: [ldapext] objectIdentifierMatch
Index(es):
- Chronological
- Thread