[ldap] Re: Basic LDAP group questions

Mon, 19 Mar 2007 17:37:07 -0800

So after asking our LDAP developer, no, I'm not misunderstanding our 
product, it really does want that attribute with DNs. It seems that
most LDAP implementations (he cited Domino and Active Directory)
provide that attribute. It does keep our product from working with
OpenDirectory and the default OpenLDAP schema, though
Thank you both (Adam and Vulpes) for your help and comments

Why,  both of these provide "groupOfNames/member" by default.

Well, to be more specific, it keeps our product from working with
them out of the box, because those attributes aren't populated by
default

I don't understand this statement: "because those attributes aren't
populated by default". Why would an application care how the values get created? And this schema [if that is what you mean] is there by default 
and has been for a long time.


Maybe I'm misunderstanding something fundamental about LDAP.


I think that LDAP is a hierarchical database where its objects are  
defined by arbitrary string/string pairs (attributes/values). I think  
that a schema is a map of the attributes that may (or must) exist on  
a given type of object.



When I say that "these values are not populated by default," I mean  
that the attributes required by the groupOfNames schema (namely  
'member') are not present by default on LDAP groups in OpenLDAP. That  
is, if I ask an OpenLDAP posixGroup for 'member', I will not get back  
a multi-valued attribute called 'member' that contains a list of the  
DNs of its members.



When I look for groupOfNames in (on FreeBSD) /usr/local/etc/openldap/ 
schema, I see a definition in core.schema that looks like this:


objectclass ( 2.5.6.9 NAME 'groupOfNames'
        DESC 'RFC2256: a group of names (DNs)'
        SUP top STRUCTURAL
        MUST ( member $ cn )

        MAY ( businessCategory $ seeAlso $ owner $ ou $ o $  
description ) )



Does this class mean anything other than what it says here? Since my  
response that "these attributes aren't populated by default" doesn't  
make sense to you, does that mean that LDAP provides significantly  
more than arbitrary string/string pairs for its objects? Does a given  
'schema' (if I'm even using the word correctly) have 'smarts' that  
allows it to interact more complicatedly than just storing a bunch of  
strings? Do I have a whole lot more reading to do? :)




---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.






















					Reply via email to