[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3432) back-sql enhancements

At 07:01 AM 1/3/2005, adamson@andrew.cmu.edu wrote:
>An LDAP database has an entry "cn=adamson,dc=cmu,dc=edu"  of objectClass 
>"posixAccount", which has a subclass "cmuAccount" and the entry already 
>matches all of the MAY and MUST directives of the schema for both cmuAccount 
>and posixAccount.  Now the server receives this LDIF:
>   dn: cn=adamson,dc=cmu,dc=edu
>   changetype: modify
>   replace: objectClass
>   objectClass: cmuAccount
>   -
>what should the server do?

Making this change would violate the directory information
model, hence objectClassViolation would normally be returned.

However, in talking with some X.500 DSA developers, administrators,
through use of the ManageDSAIT extension, perform such updates.
That is, both a control and authorization to use it for this
purpose are needed.  I've been thinking about how to add this
capability to slapd(8).

>This patch #7 attempts to make the necessary changes in the RDBM to change the 
>objectClass of the entry.  If LDAP says that entries cannot change OC, then 
>yeah this is a bad patch.

Well, depending on how one checks for the control and authorization,
the patch might actually be okay.  Most of the checking should
well above the match (in object class violation checking routines).

We might move this discussion to -devel....

>    Thanks again for your time.
>        -Mark Adamson
>         Carnegie Mellon