Hi guys,
I have been working for the last 3 days on DIRSERVER-758, and while
trying to fix it, I just felt like I have found something pretty ugly. I
need your opinion on some points, and choices.
Just to summarize, DIRSERVER-758 was about creating an entry with
attributes not existing or not part of any objectclasses.
For instance, here is one kind of entry which is problematic :
dn: c=france, ou=system
objectclass : inetOrgPerson
sn: emmanuel
This entry has four problems :
1) The 'c' attribute is not declared in the entry's attributes
2) The 'c' attribute is associated with the 'country' object class,
which is not listed as an attribute for this entry
3) Some object classes are missing : 'top', 'person',
'organizationalPerson' and of course 'country'
4) Som attributs are missing : 'sn', 'cn', declared in objectclass 'person'
Ok, so far, it seems that this entry is not correct. Alas, we can inject
it in the server :(
This is what I was trying to fix. Now, here are my questions :
1) Regarding missing ObjectClasses
1-a)
We can add some of the missing ObjectClasses, like 'top', 'person',
'organizationalPerson', because we have all the needed informations to
rebuild the hierarchy starting from 'inetOrgPerson'.
Q : Is it a good idea to do so, instead of simply rejecting the entry ?
2) Regarding missing attributes
2-a)
If we have a RDN with an attribute not declared as an attribute of the
entry, its should be rejected, as stated by RFC 2251 ( 4.7. Add Operation :
"...
- attributes: the list of attributes that make up the content of the
entry being added. Clients MUST include distinguished values
(those forming the entry's own RDN) in this list,..."
Q : Is that ok with you to reject such entries ?
2-b)
If an attribute is added to the entry, but without the associated ObjectClass, then it should not be accepted, unless we have
added the missing ObjectClass following 1-a above
Q : wdyt ?
3) Reagrding use of JNDI API
In some place of the code ( mainly tests ), we use the Context.createSubcontext( name ) method. This lead to a serious problem, because we have no
clue about which objectclass to use and no clue about how to create MUST attributes if needed. Consider a call where name is
'ou=apache, ou=system', we will have to add an objectclass, but which one ? 'ou' is used by applicationEntity <http://ldap.akbkhome.com/index.php/objectclass/applicationEntity.html>, applicationProcess, <http://ldap.akbkhome.com/index.php/objectclass/applicationProcess.html>device, <http://ldap.akbkhome.com/index.php/objectclass/device.html>
groupOfNames <http://ldap.akbkhome.com/index.php/objectclass/groupOfNames.html>, groupOfUniqueNames, <http://ldap.akbkhome.com/index.php/objectclass/groupOfUniqueNames.html> organizationalRole, <http://ldap.akbkhome.com/index.php/objectclass/organizationalRole.html> organizationalUnit, <http://ldap.akbkhome.com/index.php/objectclass/organizationalUnit.html> organizationalPerson <http://ldap.akbkhome.com/index.php/objectclass/organizationalPerson.html>
Other cases are pretty obvious :
- an entry with missing attributes (declared as MUST in the entry's
ObjectClass) should be considered as an error
- an RDN like test=acme should not be accepted, unless 'test' is declared as a
valid attribute.
Special cases are like collective attributes, extensibleObject objectclasses,
operational attributes, top, are supposed to be handled correctly.
Any ideas, comments, insight ?
Thanks !
Emmanuel
