[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy

To: Christian Kratzer <ck@cksoft.de>
Subject: Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 26 Dec 2013 14:07:58 +0100
Cc: Howard Chu <hyc@symas.com>, Michael Ströder <michael@stroeder.com>, Arthur de Jong <arthur@arthurdejong.org>, openldap-technical@openldap.org
In-reply-to: <alpine.BSF.2.00.1312261123140.27797@pohjola.cksoft.de>
References: <02B24DE5CB6DFD4497226B2F508790E2E9A4@MATSVEMBX01.mclane.local> <20131223225228.3281a32b@pink.avci.de> <1387975788.4767.6.camel@sorbet.thuis.net> <52BAEB36.7090100@stroeder.com> <52BAFD4D.6010106@stroeder.com> <52BB5E9E.2000006@symas.com> <alpine.BSF.2.00.1312261123140.27797@pohjola.cksoft.de>

Christian Kratzer writes:
>On Wed, 25 Dec 2013, Howard Chu wrote:
>> Was going to reply but Michael beat me to it. Reiterating all the points 
>> Michael made. There is no good reason to use memberUid or uniqueMember in 
>> LDAP, both of these schema elements are deeply flawed.
> 
> thanks to both of you of bringing this up once more.
> 
> I was always intending to ask what the original use case for groupOfUniqueNames
> actually was as I totally fail to see the point in the uniqueMember attributes.

I don't see a rationale in X.520, but RFCs 4517 and 4519 say the
bitstring can be used to differentiate objects with identical or
reused DNs.  Different versions of someone's certificate, maybe?

Except that doesn't work for uniqueMember in X.500: If you search for
(DN, bitstring), it matches an object with the DN and no bitstring - but
not vice versa.  Nobody in the X.500 community remembered why when we
asked, so in the LDAP standard we made the matching rule commutative.

Thus LDAP's uniqueMember probably doesn't even work right for its
original purpose, which nobody quite remembers anyway, but at least
it's no longer an implemnetation headache in the server.

-- 
Hallvard

References:
- Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: David Barr <David.Barr2@mclaneat.com>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Arthur de Jong <arthur@arthurdejong.org>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Michael StrÃder <michael@stroeder.com>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Michael StrÃder <michael@stroeder.com>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Howard Chu <hyc@symas.com>
- Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
  - From: Christian Kratzer <ck-lists@cksoft.de>

Prev by Date: Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
Next by Date: Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy
Index(es):
- Chronological
- Thread