[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Sensible scheme for password information?
Baruzzi Giovanni wrote:
> What you see as ObjectClass REFERS ONLY the class Hierarchy; every Object
> MUST be son of the ObjectClass top.
Hey, don't confuse him now that you had just given the correct answer :)
Every Object must have ObjectClass 'top' (or 'alias' by the way). There is
some confusion created by the RFCs themselves. From RFC2252:
4.4. Object Classes
The format for representation of object classes is defined in X.501
[3]. In general every entry will contain an abstract class ("top" or
"alias"), at least one structural object class, and zero or more
auxiliary object classes.
Alright, so "alias" is an abstract class right? Well, see RFC2256:
7.2. alias
( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName )
Now "alias" is an structural objectClass subordinate to "top"? Go figure...
> A more standard structure would be : uid=nfr,ou=People,o=iae,c=nl
> o=organization, c=country;
> I don't understand why dc is used instead of o,c.
Read RFC2247, the dc form has the advantage of a working registry, while
there are many places where registries under c=xx have not been organized.
Besides, unless the have such registry in The Netherlands, 'iae' could
stand for 'Internet Access Eindhoven' or for something completely
unrelated. If you don't have a registry, you really have to use some
string that cannot be challenged, such as:
o=Sistemas Técnicos de Loterías del Estado S.A.E., c=ES
that is the complete, byte per byte, legal name of my organization (the
above is slightly incorrect, since it is in ISO-8859-1, I actually use
its UTF-8 form). That is really silly and I regret not having known
about the 'dc' form, since I could make it 'dc=stl,dc=es' and I would
never have any conflict.
Julio