[ldapext] Additional constraints for attribute values in subschema
Michael Ströder <michael@stroeder.com> Wed, 23 April 2008 14:38 UTC
Return-Path: <ldapext-bounces@ietf.org>
X-Original-To: ldapext-archive@optimus.ietf.org
Delivered-To: ietfarch-ldapext-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E92963A6BB1; Wed, 23 Apr 2008 07:38:43 -0700 (PDT)
X-Original-To: ldapext@core3.amsl.com
Delivered-To: ldapext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B11E3A6868 for <ldapext@core3.amsl.com>; Wed, 23 Apr 2008 07:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHDhLQ0T7JSG for <ldapext@core3.amsl.com>; Wed, 23 Apr 2008 07:38:42 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by core3.amsl.com (Postfix) with ESMTP id E516E3A6C00 for <ldapext@ietf.org>; Wed, 23 Apr 2008 07:38:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by srv1.stroeder.com (Postfix) with ESMTP id 7E5AB1C65BF for <ldapext@ietf.org>; Wed, 23 Apr 2008 16:38:44 +0200 (CEST)
X-Virus-Scanned: amavisd-new at stroeder.com
Received: from srv1.stroeder.com ([127.0.0.1]) by localhost (srv2.stroeder.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8Ro2-MUAteL for <ldapext@ietf.org>; Wed, 23 Apr 2008 16:38:02 +0200 (CEST)
Received: from [10.1.0.2] (unknown [10.1.0.2]) by srv1.stroeder.com (Postfix) with ESMTP id C937C1C6652 for <ldapext@ietf.org>; Wed, 23 Apr 2008 16:37:26 +0200 (CEST)
Message-ID: <480F49A5.7020703@stroeder.com>
Date: Wed, 23 Apr 2008 16:37:25 +0200
From: Michael Ströder <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9
MIME-Version: 1.0
To: LDAP Extensions list <ldapext@ietf.org>
X-Enigmail-Version: 0.95.6
Subject: [ldapext] Additional constraints for attribute values in subschema
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ldapext-bounces@ietf.org
Errors-To: ldapext-bounces@ietf.org
HI! I'd like to discuss the idea of defining and publishing additional constraints on attribute values in the subschema subentry in a standardized way so that schema-aware clients can obey these constraints guiding the user and servers can enforce these constraints when entries are added or modified. Please let me know what you think about explanations below. Ciao, Michael. ---------------------------------------------------------------------- Sometimes it's not sufficient to simply specify an existing LDAP syntax or SINGLE-VALUE flag for an attribute type to express more specific constraints on attribute values. Such constraints are considered most times to be part of a local directory profile defined by the DSA administrator, but it is not limited to this purpose. Schema designers MAY also define additional constraints in published standards. Also servers MAY enforce constraints not specified like explained herein (e.g. a unique value constraint). There are several possible approaches for this: 1. Extend attributeTypes in subschema subentry with additional parameters. This would require to change standard schema definitions for locally profiling a directory which is widely considered bad practice. Also compability to older implementations is a risk. 2. Proprietary server-configuration like already implemented in server products. The caveat is that an interactive schema-aware client cannot retrieve this constraint information in a standardized way. So guiding the user to do the right thing is not possible. 3. A subentry specification for a part of the DIT. Unfortunately this mechanism is AFAIK not widely supported in current server implementations and needs more work. 4. My proposal is to add a new attribute 'attributeConstraints' to the subschema subentry which associates additional constraints with a certain attribute type by OID crossref similar like DIT content rules do for structural object classes. Possible constraints: REGEX Regular expression defining a valid syntax of attribute values VALUES Explicit set of possible attribute values. (The constraint itself could also be achieved by REGEX but it enables the client to provide a typical select list at the user interface.) LDAPURI LDAP URL specifying a set of possible attribute values as LDAP search results. If attrs is not specified the DNs of the found entries are the set of possible values. OPTIONS Set of possible tagging attribute options or option tag/range prefixes. MAXNUMBER max. count of multi-valued attribute values MAXBYTELEN maximum numbers of bytes MAXCHARLEN maximum lenght of a character-based string (depending on syntax) Either one of REGEX, VALUES and LDAPURI SHALL be allowed, not combinations of these parameters. Examples (lines partially wrapped in this message): For constraining attribute type 'o' to a set of 'o' attribute values of already existing company entries. (This might cause problems if only one subschema subentry is present for the whole DIT.) attributeConstraints ( 2.5.4.10 LDAPURI ldap://dir.example.com/ou=Companies,dc=example,dc=com?o?one?(objectClass=organization) ) For attribute type 'manager' be chosen from DNs of existing entries: attributeConstraints ( 0.9.2342.19200300.100.1.10 LDAPURI ldap://dir.example.com/dc=example,dc=com??sub?(&(objectClass=inetOrgPerson)(title=Manager)) ) For attribute type 'jpegPhoto' of restricted size and to a single value (overrides multi-valued default): attributeConstraints ( 0.9.2342.19200300.100.1.60 MAXNUMBER 1 MAXBYTELEN 4000 ) Restricting a (proprietary) attribute 'gender' to values specified in ISO standard 5801: attributeConstraints ( 1.3.6.1.4.1.5427.1.389.4.7 VALUES ( '0' $ '1' $ '2' $ '9' ) ) _______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www.ietf.org/mailman/listinfo/ldapext
- Re: [ldapext] Additional constraints for attribut… Steven Legg
- [ldapext] Additional constraints for attribute va… Michael Ströder
- Re: [ldapext] Additional constraints for attribut… Kurt Zeilenga
- [ldapext] extensions for subschema (was: Addition… Michael Ströder