[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: schema design and schema restrictions



On Wed, Nov 26, 2008 at 05:31:59PM +0200, Buchan Milne wrote:

> On Wednesday 26 November 2008 17:03:55 Mansour Al Akeel wrote:

> > Thank you Michael, but posixAccount doesn't require the password, which
> > makes it not suitable for authentication.
> 
> But, inetOrgPerson (as it inherits from person) allows userPassword, so this 
> is irrelevant.

It is also worth pointing out that making attributes mandatory
(using MUST in schema files) is usually a bad idea. It can
severely restrict your flexibility when creating entries, and
often leads to silly workarounds like creating objects with
dummy attribute values just to satisfy the rules.

This mistake was made in several of the early objectclass
definitions. One example is groupOfNames where the definition
makes it impossible to have an empty group.

You may find my Schema Design paper helpful:

	http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/index.html

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------