[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OID syntax and NAMEs

Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
Eventual I'd like to have a constraint like this:

# check whether appropriate password policy is assigned
constraint_attribute structuralObjectClass,pwdPolicySubentry
  set "this/structuralObjectClass & this/pwdPolicySubentry/aeApplicableSOC"

Not possible without custom code.

Hmm, are this/structuralObjectClass and this/pwdPolicySubentry generally
unusable in set-constraints?

Or does it not work because of the different matching rules?

Yes, because of the matching rule issue.

This seems to be a deficiency in either ASN.1 or the LDAP spec, I'm not sure which. The problem is that numeric OIDs are obviously unique, but there's no guarantee that string names are. Moreover, the same name might apply to the OID of an attribute, or an objectclass, or a syntax, or some other entity, and there's no way to tell the objectIdentifierMatch rule which context is relevant. So, we can only match on numeric OIDs.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/