[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Please tell me I have something configured wrong...

In my opinion, since OpenLDAP allows this, it is essentially allowing the DB to become corrupted (i.e. references to non-existent entries).  If the DS does not do some kind of verification (other than make sure it is formatted correctly) on a DN attribute, why not just make it a Directory String?

>>> Ingo Schaefer <ingo@ingo-schaefer.de> 08/15/02 03:40PM >>>
Hallo, am Donnerstag, 15. August 2002 16:19 schrieb Tony Thompson:
> I have a groupOfNames object and I am adding members to the group. 
> I noticed that I can any DN to the "member" attribute, even if the
> DN doesn't exist.  For example, I added "cn=fred,dc=example,dc=com"
> as a "member" of my group.  My suffix is not "dc=example,dc=com"
> and I don't have an object named "fred" anywhere in my database.  I
> tested adding a string linke "nothing" and it failed because it
> didn't follow the syntax rules.  I could however add "cn=nothing"
> and it worked.
> Is there a way to make OpenLDAP verify that the DN that is being
> added is valid and fail the operation if it is not?

If it would do so, it will be a RDBMS.
the App, which is used for manipulating LDAP-Entries, should ensure 
the consistency.

Just my opinion, unverified.
Ingo Schaefer