Steve Linberg wrote: > Greetings, all. > > I apologize in advance for what I suspect is a skull-thumpingly basic > question, but I've been Googling for days and digging through LDAP > reference books and can't find an answer, or even anything that > addresses the subject. My background is an RDMS guy trying to get up to > speed in LDAP so I can extend an AD schema to add a few fields to a > place I'm consulting for, so it can hook into other systems I'm trying > to deploy. > > My question is: is there any way to define an LDAP field that only has a > predefined set of acceptable values? For example, is it possible to have > a field like "favoritePrimaryColor" with allowable values of only "Red", > "Yellow", and "Blue"? > > In an RDMS, you'd set up either an enum (if you're using SQL extensions > that permit it), or use a foreign key relating to another table, but I > know that LDAP prefers to be flat and gains its speed in part from not > doing lookups. > > Still, I need a way to prevent invalid values in certain fields, and I'm > trying to find out whether that can be controlled in schema definitions, > or whether it has to be managed at the application level. The more > concrete real-world need here is that I need to extend the "user" class > to create an "employee" class that allows one or more sets of (job > title, code, and location) per person (employees here often wear more > than one hat, with different privileges and trainings to track), where > the job title and location fields are both constrained by a list of > about 20 allowable values and anything not in those lists should be > rejected as invalid. This is both for security and to prevent against > typos (like "clinician" instead of "cilnician") within the database. I'd > rather have that logic be enforced by the data structures rather than > the application, otherwise I'm going to have to develop another > application to police the database looking for invalid values inserted > from other sources. > > If this is a stupid question, a dope-slap and a pointer to the answer, > or information about why it's not a good question, would be greatly > appreciated. If it's NOT a stupid question, any answer or hint would > also be greatly appreciated.
I like to think that questions are seldom stupid, while answers can often be. As far as I know, there is nothing simple like that in LDAP; in principle, if you have access to the software of the DSA, or if it provides some plugin mechanism that allows to write custom syntaxes, you could write your own LDAP syntax (call it "mySet") which only allows a limited set of values; then you can define attributes with that syntax, and that's it. If you need to use those attributes in filters, you may need to implement some matchingRules as well. In OpenLDAP I implemented lots of custom syntaxes and, apart from the complexity related to how the values are constrained, the rest is (almost) straightforward. Assuming you're using a [rd]ecent version of OpenLDAP software, examples can be found in the code: see for example the authzSyntax or the OpenLDAPaciSyntax. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] --------------------------------------- --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
