<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:windowtext;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>The second link you provided (at port 389.org) specifically mentions using the “account” objectclass. I don’t have access to RHN to read the first link, though.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] <b>On Behalf Of </b>Rich Megginson<br><b>Sent:</b> Tuesday, July 10, 2012 8:46 AM<br><b>To:</b> Anderson, Cary@CIO<br><b>Cc:</b> 'General discussion list for the 389 Directory server project.'<br><b>Subject:</b> Re: [389-users] Question regarding Combining ObjectClasses to add attributes<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On 07/10/2012 09:01 AM, Anderson, Cary@CIO wrote: <o:p></o:p></p><p class=MsoPlainText>Thanks for the quick response.<o:p></o:p></p><p class=MsoPlainText> <o:p></o:p></p><p class=MsoPlainText>The RHN knowledgebase article I found was titled: "How to use "host" attribute to limit ldap users can be accessed by specified host?" kb# 65838<o:p></o:p></p><p class=MsoPlainText><a href="https://access.redhat.com/knowledge/solutions/65838">https://access.redhat.com/knowledge/solutions/65838</a><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br>It doesn't say anything about an "Account" objectclass.<br><br>See also <a href="http://port389.org/wiki/Howto:Posix">http://port389.org/wiki/Howto:Posix</a><br><br><br><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Rich Megginson [<a href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>] <br><b>Sent:</b> Monday, July 09, 2012 9:14 AM<br><b>To:</b> General discussion list for the 389 Directory server project.<br><b>Cc:</b> Anderson, Cary@CIO<br><b>Subject:</b> Re: [389-users] Question regarding Combining ObjectClasses to add attributes</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>On 07/09/2012 09:44 AM, Anderson, Cary@CIO wrote: <o:p></o:p></p><p>I have recently started working with the Director Server, and I have read the documents for both 389 and RHDS, but I am having some difficulties regarding ObjectClass types, and combining them in order to extend the available attributes for an object. The documents indicate that you can only have one Structural ObjectClass and multiple Aux. ObjectClasses, and I'm a bit hazy on the rules for Abstract ObjectClasses. <o:p></o:p></p><p>If I take the example of needing to add the "host" attribute to a user object. A RHN knowledgebase article indicates to add the "hostobject" ObjectClass rather than the "Account" ObjectClass. <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'><br>Can you provide a link to this kbase article?<br><br><br><br></span><o:p></o:p></p><p>My assumption was that "hostobject" was an Aux. ObjectClass, and that "Account" was Structural, but when I look at the two ObjectClasses via the administrative GUI, they both have "Top" listed as the parent ObjectClass. So I'm not certain why one is appropriate and the other is not.<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'>It would appear the console does not tell you if the objectclass is structural, auxiliary, or abstract. You cannot tell by just the inheritance - by default, all objectclasses have "top" as the superior unless otherwise specified.<br><br>This is the official LDAPv3 description - <a href="http://www.ietf.org/rfc/rfc4512.txt">http://www.ietf.org/rfc/rfc4512.txt</a><br><br>An entry may have only one STRUCTURAL objectclass, and multiple AUXILIARY objectclasses. Chances are you will want to use AUXILIARY objectclasses for your extra attributes (like posixAccount) and just use one of the pre-defined objectclasses (like inetOrgPerson) as your STRUCTURAL objectclass.<br><br><br><br></span><o:p></o:p></p><p>Moving forward I want to be able to combine ObjectClasses to extend available objects without introducing data integrity issues in my ldap directory. I am looking for some clarification of rules regarding structural objectclasses,<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'>See rfc4512<br><br><br></span><o:p></o:p></p><p>and if there is an easy way via the admin gui to tell the difference between structural, auxillary, and abstract objectclasses. <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'>No. You'll have to search cn=schema to check:<br>ldapsearch -xLLL -s base -b "cn=schema" "objectclass=*" objectclasses | perl -p0e 's/\n //g' | grep AUXILIARY<br><br>Note that ldapsearch wraps the output, so you'll have to use perl (or sed) to unwrap - see <a href="http://richmegginson.livejournal.com/18726.html">http://richmegginson.livejournal.com/18726.html</a><br><br><br></span><o:p></o:p></p><p>Also will the directory do some sort of intregrity checking if you attempt to combine improper objectclasses either via commandline or the admin gui?<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'>Yes, although by default 389 will allow an entry to have multiple structural objectclasses, but that will change in a future release, so don't rely on that behavior.<br><br><br></span><o:p></o:p></p><p> <o:p></o:p></p><p>Thanks<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><b><span style='font-size:12.0pt'> Cary Anderson</span></b><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span></b><span style='font-size:12.0pt'>916.464.5108</span><o:p></o:p></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#333399'>Linux Support</span></b><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'> |</span></b><b><span style='font-size:12.0pt'> </span></b><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:maroon'>Engineering Dept</span></b><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>.</span></b><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'><br><br><br><br></span><o:p></o:p></p><pre>--<o:p></o:p></pre><pre>389 users mailing list<o:p></o:p></pre><pre><a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><o:p></o:p></pre><pre><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><o:p></o:p></pre><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman , serif","serif"'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div></div></body></html>