Re: [ldapext] Schema for posixGroup successor (RFC 2307 bis)

Andrew Findlay <> Thu, 12 February 2015 10:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B203B1A86EC for <>; Thu, 12 Feb 2015 02:27:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.098
X-Spam-Level: *
X-Spam-Status: No, score=1.098 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nCoit8ZWyeNS for <>; Thu, 12 Feb 2015 02:27:46 -0800 (PST)
Received: from ( [IPv6:2001:470:1f15:20::201]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9C1871A86F6 for <>; Thu, 12 Feb 2015 02:27:42 -0800 (PST)
Received: from ([2001:8b0:8d0:f7e1:c879:73e4:69f7:a15d] by with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1YLqzi-0002ZW-Q0; Thu, 12 Feb 2015 10:27:38 +0000
Received: from andrew by with local (Exim 4.83) (envelope-from <>) id 1YLqzi-0003FY-C9; Thu, 12 Feb 2015 10:27:38 +0000
Date: Thu, 12 Feb 2015 10:27:38 +0000
From: Andrew Findlay <>
To: Michael =?iso-8859-1?Q?Str=F6der?= <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <>
Archived-At: <>
Cc: ldapext <>
Subject: Re: [ldapext] Schema for posixGroup successor (RFC 2307 bis)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Feb 2015 10:27:48 -0000

On Wed, Feb 11, 2015 at 10:58:31AM +0100, Michael Ströder wrote:

> To preserve backwards compability I'd like to propose the following:
> ( <OID TBD>
>   NAME 'posixGroup2'
>   DESC '<TBD>'
>   SUP ( groupOfEntries $ posixGroup )

That's a very cunning plan, but I am not sure that it will work...

> 1. posixGroup2 would have 'member' and 'memberUID' both as optional attributes,

That depends on exactly how multiple inheritance works. The only
definition I have found so far is in RFC4512:

      An object class may be derived from two or more direct
      superclasses (superclasses not part of the same superclass chain).
      This feature of subclassing is termed multiple inheritance.

   Each object class identifies the set of attributes required to be
   present in entries belonging to the class and the set of attributes
   allowed to be present in entries belonging to the class.  As an entry
   of a class must meet the requirements of each class it belongs to, it
   can be said that an object class inherits the sets of allowed and
   required attributes from its superclasses.  A subclass can identify
   an attribute allowed by its superclass as being required.  If an
   attribute is a member of both sets, it is required to be present.

Thus I think that your new class would have *more* mandatory
attributes than either of its superiors:

	MUST ( member $ cn $ gidNumber )

Not quite the point as we really want member to be optional.

> 2. the object class still can be found with (objectClass=posixGroup) and

I like that bit!

> 3. the object class is STRUCTURAL and therefore one can assign a specific DIT
> content rule to it allowing to preclude either 'member' or 'memberUID' with
> NOT to meet local system requirements.


Looking through the common schemas it seems that multiple inheritance
is extremely rare, so I wonder whether all servers would even agree on
how it works...

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|                +44 1628 782565     |