Re: [ldapext] Fwd: New Version Notification for draft-stroeder-namedobject-00.txt
Andrew Findlay <andrew.findlay@skills-1st.co.uk> Tue, 08 January 2013 13:18 UTC
Return-Path: <andrew.findlay@skills-1st.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 124B121F8863 for <ldapext@ietfa.amsl.com>; Tue, 8 Jan 2013 05:18:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9N2J90iDfhl for <ldapext@ietfa.amsl.com>; Tue, 8 Jan 2013 05:18:19 -0800 (PST)
Received: from kea.ourshack.com (kea.ourshack.com [IPv6:2001:470:1f15:20::201]) by ietfa.amsl.com (Postfix) with ESMTP id 0B1B421F8751 for <ldapext@ietf.org>; Tue, 8 Jan 2013 05:18:18 -0800 (PST)
Received: from 4.0.a.4.d.d.a.d.c.0.3.9.1.1.5.6.1.e.7.f.0.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:8d0:f7e1:6511:930c:dadd:4a04] helo=slab.skills-1st.co.uk) by kea.ourshack.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1TsZ5d-0006rL-Bu; Tue, 08 Jan 2013 13:19:37 +0000
Received: from andrew by slab.skills-1st.co.uk with local (Exim 4.80.1) (envelope-from <andrew.findlay@skills-1st.co.uk>) id 1TsZ4M-0006L7-5m; Tue, 08 Jan 2013 13:18:18 +0000
Date: Tue, 08 Jan 2013 13:18:18 +0000
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: Michael Ströder <michael@stroeder.com>
Message-ID: <20130108131817.GY5797@slab.skills-1st.co.uk>
References: <20121216194204.3327.80452.idtracker@ietfa.amsl.com> <50CE24C6.3000006@stroeder.com> <20130107123045.GX5797@slab.skills-1st.co.uk> <50EB29C2.8080601@stroeder.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <50EB29C2.8080601@stroeder.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] Fwd: New Version Notification for draft-stroeder-namedobject-00.txt
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2013 13:18:20 -0000
On Mon, Jan 07, 2013 at 09:02:10PM +0100, Michael Ströder wrote: > > I would therefore prefer *not* > > to use CN as the naming attribute. I propose including > > uniqueIdentifier as a MUST attribute and strongly suggesting its use > > as the RDN. > > [..] > > I would suggest advising the use of opaque values for > > uniqueIdentifier to make sure that the DN never has to be modified. > > While I strongly agree with the basic idea I won't write it in the I-D like > this to preserve backwards-compability with [I-D.howard-namedobject] which is > already used in some implementations. (I did not preserve the OID though.) The original I-D made CN mandatory in the text but optional in the schema definition. Looking around for things that use namedObject, I found: 1 SuSE's YaST version of the RFC2307bis schema where they apparently use namedObject for empty groups and then change the object class to groupOfNames when the group gets a member! 2 ForgeRock inculude the I-D.howard-namedobject definition in their core schema 3 OpenLDAP does not ever seem to have distributed a definition for this class 4 Gosa includes exactly the same RFC2307bis schema that SuSE uses. 5 Kolab seems to have an incompatible derivative using the original OID and a new name: olcObjectClasses: ( 1.3.6.1.4.1.5322.13.1.1 NAME 'kolabNamedObject' SUP top STRUCTURAL MAY (cn $ ou) ) There is at least one other definition of namedObject floating around though I don't know whether it has ever been used: http://tools.ietf.org/id/draft-furuseth-ldap-untypedobject-02.txt That one permits a wide range of attributes but expects you to use just one of them in the entry. If we assume that only the I-D.howard-namedobject version is actually used in the wild, then one option for preserving compatibility would be: ( 1.3.6.1.4.1.5427.1.389.6.20 NAME 'namedObject' SUP top STRUCTURAL MAY ( uniqueIdentifier $ cn $ displayName $ description ) ) > For the next version of the I-D this text is meant to express a preference for > using 'uniqueIdentifier' over 'cn' to form the RDN: > > If the optional attribute 'uniqueIdentifier' contains a value it > SHOULD be used to form the RDN of the entry. Perhaps add: There are advantages to using opaque (meaningless) values in the RDN of the entry, as this allows all meaningful attributes to be modified without changing the RDN. > Otherwise the mandantory attribute 'cn' SHOULD be used to form > the RDN of the entry if there are no other appropriate naming > attributes available. > Other attributes allowed by auxiliary classes also MAY be used for > naming purposes. This would still permit the traditional use of the objectclass, but would provide a pointer towards better design practice. > But 'displayName' is not really widely used and only defined in RFC 2798. So I > prefer 'cn' over 'displayName' also because of backward-compability to > [I-D.howard-namedobject]. But I agree that 'displayName' being SINGLE-VALUE is > an advantage. RFC2798 defines inetOrgPerson, so displayName is almost certain to be available in every deployed LDAP server. The only objection that I can see is that the attribute description refers to 'a person': ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'preferred name of a person to be used when displaying entries' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) I have used displayName for years in all sorts of entries because its purpose and usage is very clear. I am not sure that it is necessary to say anything about how to display lists of items, but if you want to keep that in, how about: LDAP clients displaying entries of these object classes SHOULD take the title of the entry from the displayName attribute if available, otherwise from the cn or other appropriate attribute. The value of the uniqueIdentifier attribute will not usually be useful to a human user. > > Perhaps a separate I-D > > defining an auxiliary class for ordering would be better. > > Looking forward to your I-D specifying it... ;-) I will give it some thought! Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
- [ldapext] Fwd: New Version Notification for draft… Michael Ströder
- Re: [ldapext] Fwd: New Version Notification for d… Charlie
- Re: [ldapext] Fwd: New Version Notification for d… Andrew Sciberras
- Re: [ldapext] Fwd: New Version Notification for d… Michael Ströder
- Re: [ldapext] [ldap] Fwd: New Version Notificatio… Michael Ströder
- Re: [ldapext] Fwd: New Version Notification for d… Andrew Findlay
- Re: [ldapext] Fwd: New Version Notification for d… Michael Ströder
- Re: [ldapext] Fwd: New Version Notification for d… Andrew Findlay
- Re: [ldapext] [ldap] Re: Fwd: New Version Notific… Linus van Geuns