On Wed, 2007-09-19 at 19:01 +0100, Andrew Findlay wrote:On Wed, Sep 19, 2007 at 01:07:13PM -0400, Liben, Michael (GTI) wrote:
This anticipates a reliable mechanism that ensures direct members are not added to the nestedGroups attribute and that nested groups are not inadvertently added to the member attribute.I don't think there needs to be any server-side control on that. There are many cases in LDAP where the protocol and schema allow the client to do 'silly' things. If we try to tie things down too hard there is no room for flexibility. A designer can choose to use ACLs or structure definitions to apply some measure of control, or can rely on 'business logic' in the update process to do so.
The problem is that you have a generic "DN" container that is given specific semanthics. IE nestedGroupObject is supposed to contain only entries that have groupOfEntries as its STRUCTURAL class, but you do not enforce it. So it may contain anything. Same for member.
This just means clients have to cope with bad entries.
I think that the problem is caused by artificial separation of members in 2 classes.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext