Re: attributes tag

[Jehan PROCACCIA <Jehan.Procaccia@int-evry.fr>]

Hallvard B Furuseth wrote:

> jehan.procaccia writes:
>  
>
> > $ grep attributeoptions /usr/local/openldap-2.2.20-1/etc/openldap/slapd.conf
> > attributeoptions x-dept-
> > attributeoptions lang-
> > (..)
> >
> > dn: uid=procacci,ou=People,dc=int-evry,dc=fr
> > title;x-dept-crmp: advisor
> > title;x-dept-inf: teacher
> > (...)
> >    
>
> Thanks!  You may just have solved a similar problem which we have at our
> site:-)
>
>  
Any one on this list already use that ? (tags !)

There still something which I cannot find do -> how do I search only the 
attribute title here ?
$ ldapsearch -x uid=procacci -h localhost title -D 
"cn=admin,dc=int-evry,dc=fr" -W -LLL
dn: uid=procacci,ou=People,dc=int-evry,dc=fr
title:: SW5nw6luaWV1ciBzeXN0w6htZXM=
title;x-dept-crmp: advisor
title;x-dept-inf: teacher
title;lang-us: system&network engineer

returns all attributes + sub (tagged) attributes

> > That would respond to my need of giving on person entry multiple title
> > and associate those title to a specific departementNumber/service in the
> > organization. However now I need to preserve a strict coherence between
> > my departementNumber value ("inf" for exemple) and my title attribute
> > option (x-dept-inf here ) !
> >
> > Before I go editing hundred of users entry and code my php
> > interogation/modification interface to support that, do you recommend
> > such a solution or are there better ones ?
> >    
>
> Solutions I can think of include:
>
> - an attribute option as you suggest,
>
> - an attribute 'intEvryDeptAndTitle' with values like 'inf$teacher',
>  
I don't like that one :-( , to much complicated to maintain ...

> - use the DIT's tree structure somehow, e.g. put a person entry
>  with title 'advisor' in a child entry of the inf dept's entry,
>  and another person entry for the same person with title advisor
>  under the crmp dept's entry.
>  
No I want to keep my directory as flat as possible, I have everyone 
persone just below ou=people,dc=int-evry,dc=fr, no mater if the are from 
department X or Y or even if they are students or employee !

>  
>
> > I once though about the
> > organizationalRole objectClass defining  each and every roles in the
> > organization and point each person entry with the seeAlso attribute to
> > their roles, but again I find this a bit complicated and not easy to
> > maintain ...
> >    
>
> Not sure how this ties a particular title of a person to a particular
> department; is i a variant of my third alternative above?
>  

Yes

> Anyway, what is best depends on your situation.  For example:
>
> - Do all "department numbers" fit the attribute option syntax in
>  RFC 2251 section 4.1.5?  That is, they consist of only ASCII letters,
>  digits and hyphens.  Also, IDs ending with '-' could be troublesome,
>  since this means an option range in some circumstances.
>  
I can manage that .

> - Do the clients which you support recognize 'title;x-dept-inf' as a
>  title attribute?
>  
I suppose no :-(, but our personnal developpemnt could do (I have to 
check if php-ldap can do it ...)

>  If not, you might want to include 'title: foo' values matching
>  all 'title;x-dept-yyy: foo' values.
>
> - A search for (title=teacher) will find title;x-dept-inf: teacher,
>  since title;x-dept-inf is a subtype of title.
>  Is that how it should work?
>  
umh ... I have to be carefull indeed ! I'am not sure that what I am 
looking for ...

> - Is your title attrbute indexed in slapd.conf?  I don't know if
>  a search for (title;x-dept-inf=teacher) will use the index.
>  Unless someone else knows, I expect you can check by turning
>  on loglevel 8480: LDAP_DEBUG_<FILTER + STATS + INDEX>.
>  
I'am not at preformance tunning yet .. but your right, i should check that .