[Date Prev][Date Next]
I have noticed in various documents purporting to describe LDAP and
OpenLDAP that in LDIF files most insisted on including objectclass: top
some did not, further most documents included the objectclass hierarchy
(e.g. objectclass: person and objectclass: inetOrgPerson) but some did
not. My reading of the RFC is not conclusive on either point.
I've just run a series of experiments using OpenLDAP 2.0.27-2.7.1 on a
RedHat 7.1 ish installation to try and prove the issue:
I was able to create an apparently fully operational LDAP directory
(with my small experimental data set) without.
1. any objectclass:top entries
2. a single objectclass: inetOrgPerson (no hierarchy)
It also appeared that I was able to search on attributes that were
included in the object hierarchy but not in inetOrgPerson (e.g.
telephonenumber, cn and sn). I could find no apparent problems in the
limited testing that I did
This seems to me to be sensible behavior since the schema defines to
OpenLDAP the object hierarchy including top and OpenLDAP can process it
a lot faster than I can type it!. Further as a naturally lazy human
being it has lots of appeal! However before I go barreling into
full-blooded ruby/openldap implementation using this technique:
1. is there anything I cannot do with this set-up
2. are there limitations in using this approach security etc. etc
3. is there something coming down the pike that is going to make me
suffer for my laziness
Appreciate any help, thoughts or insight.