[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: changing default: schemacheck on

"Kurt D. Zeilenga" wrote:
> I would like to change the default value of the schemacheck
> slapd.conf directive to on.  Any good reason why this
> shouldn't be done?

Quite the opposite, I wholeheartedly agree.

RFC2251, section 3.2.1:

   Servers MUST NOT permit clients to add attributes to an entry unless
   those attributes are permitted by the object class definitions, the
   schema controlling that entry (specified in the subschema - see
   below), or are operational attributes known to that server and used
   for administrative purposes.  Note that there is a particular
   objectClass 'extensibleObject' defined in [5] which permits all user
   attributes to be present in an entry.

Section 4.7 (the Add operation):

   - attributes: the list of attributes that make up the content of the
     entry being added.  Clients MUST include distinguished values
     (those forming the entry's own RDN) in this list, the objectClass
     attribute, and values of any mandatory attributes of the listed
     object classes.  Clients MUST NOT supply the createTimestamp or
     creatorsName attributes, since these will be generated
     automatically by the server.

>From 3.2.1 again:

   a country).  When creating an entry or adding an objectClass value to
   an entry, all superclasses of the named classes are implicitly added
   as well if not already present, and the client must supply values for
   any mandatory attributes of new superclasses.

The above seems to suggest requirements for clients, not servers, but it
is not really the case, 3.2.1 also explains:

   Schema is the collection of attribute type definitions, object class
   definitions and other information which a server uses to determine
   how to match a filter or attribute value assertion (in a compare
   operation) against the attributes of an entry, and whether to permit
   add and modify operations.

So the server uses the schema in the decision process, and this is a
general concept that goes beyond those specific places where the
RFC authors cared to include a specific requirement on the server
as the one included in the first paragraph I quoted.

IMHO, OpenLDAP has to meet the specification in its default setting.
The admin may break the standard as much as she wants, including
patching the source up to the point that it does not talk LDAP anymore.

Having a 'good reason' can be used to escape meeting a SHOULD requirement,
but MUST requirements cannot be waived.  So schemacheck has to be on by
default.  If the admin disables it, then the server becomes non conformant
but that choice is only hers to make.  The docs should be updated to
label clearly those options that when taken make the result non conformant.

By the way, I also vote for lastmod on by default.  Notice that while
RFC2251 says an entry MAY contain a number of operational attributes
and includes these among them, RFC2252 then goes into detail about them
and says they SHOULD appear after an Add or Modify operation as
appropriate.  In this case, however, a 'good reason' may be used to keep
the default off or even removing the facility completely.