<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 07/10/2012 06:22 PM, Morris, Patrick wrote:
<blockquote
cite="mid:B70713EB4E55C84C963B37DE9E63011B50DD3F0F@G4W3223.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:windowtext;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif][if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">The
second link you provided (at port 389.org) specifically
mentions using the “account” objectclass. I don’t have
access to RHN to read the first link, though.</span></p>
</div>
</blockquote>
<br>
Ah, I see, under the "Old Method". I guess I should just get rid of
that.<br>
<br>
<blockquote
cite="mid:B70713EB4E55C84C963B37DE9E63011B50DD3F0F@G4W3223.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a>
[<a class="moz-txt-link-freetext" href="mailto:389-users-bounces@lists.fedoraproject.org">mailto:389-users-bounces@lists.fedoraproject.org</a>] <b>On
Behalf Of </b>Rich Megginson<br>
<b>Sent:</b> Tuesday, July 10, 2012 8:46 AM<br>
<b>To:</b> Anderson, Cary@CIO<br>
<b>Cc:</b> 'General discussion list for the 389
Directory server project.'<br>
<b>Subject:</b> Re: [389-users] Question regarding
Combining ObjectClasses to add attributes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On 07/10/2012 09:01 AM, Anderson,
Cary@CIO wrote: <o:p></o:p></p>
<p class="MsoPlainText">Thanks for the quick response.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">The RHN knowledgebase article I found
was titled: "How to use "host" attribute to limit ldap
users can be accessed by specified host?" kb# 65838<o:p></o:p></p>
<p class="MsoPlainText"><a moz-do-not-send="true"
href="https://access.redhat.com/knowledge/solutions/65838">https://access.redhat.com/knowledge/solutions/65838</a><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
It doesn't say anything about an "Account" objectclass.<br>
<br>
See also <a moz-do-not-send="true"
href="http://port389.org/wiki/Howto:Posix">http://port389.org/wiki/Howto:Posix</a><br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Monday, July 09, 2012 9:14 AM<br>
<b>To:</b> General discussion list for the 389
Directory server project.<br>
<b>Cc:</b> Anderson, Cary@CIO<br>
<b>Subject:</b> Re: [389-users] Question regarding
Combining ObjectClasses to add attributes</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">On 07/09/2012 09:44 AM, Anderson,
Cary@CIO wrote: <o:p></o:p></p>
<p>I have recently started working with the Director Server,
and I have read the documents for both 389 and RHDS, but I
am having some difficulties regarding ObjectClass types, and
combining them in order to extend the available attributes
for an object. The documents indicate that you can only
have one Structural ObjectClass and multiple Aux.
ObjectClasses, and I'm a bit hazy on the rules for Abstract
ObjectClasses. <o:p></o:p></p>
<p>If I take the example of needing to add the "host"
attribute to a user object. A RHN knowledgebase article
indicates to add the "hostobject" ObjectClass rather than
the "Account" ObjectClass. <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif""><br>
Can you provide a link to this kbase article?<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p>My assumption was that "hostobject" was an Aux.
ObjectClass, and that "Account" was Structural, but when I
look at the two ObjectClasses via the administrative GUI,
they both have "Top" listed as the parent ObjectClass. So
I'm not certain why one is appropriate and the other is not.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif"">It would appear the
console does not tell you if the objectclass is
structural, auxiliary, or abstract. You cannot tell by
just the inheritance - by default, all objectclasses have
"top" as the superior unless otherwise specified.<br>
<br>
This is the official LDAPv3 description - <a
moz-do-not-send="true"
href="http://www.ietf.org/rfc/rfc4512.txt">http://www.ietf.org/rfc/rfc4512.txt</a><br>
<br>
An entry may have only one STRUCTURAL objectclass, and
multiple AUXILIARY objectclasses. Chances are you will
want to use AUXILIARY objectclasses for your extra
attributes (like posixAccount) and just use one of the
pre-defined objectclasses (like inetOrgPerson) as your
STRUCTURAL objectclass.<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<p>Moving forward I want to be able to combine ObjectClasses
to extend available objects without introducing data
integrity issues in my ldap directory. I am looking for
some clarification of rules regarding structural
objectclasses,<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif"">See rfc4512<br>
<br>
<br>
</span><o:p></o:p></p>
<p>and if there is an easy way via the admin gui to tell the
difference between structural, auxillary, and abstract
objectclasses. <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif"">No. You'll have to
search cn=schema to check:<br>
ldapsearch -xLLL -s base -b "cn=schema" "objectclass=*"
objectclasses | perl -p0e 's/\n //g' | grep AUXILIARY<br>
<br>
Note that ldapsearch wraps the output, so you'll have to
use perl (or sed) to unwrap - see <a
moz-do-not-send="true"
href="http://richmegginson.livejournal.com/18726.html">http://richmegginson.livejournal.com/18726.html</a><br>
<br>
<br>
</span><o:p></o:p></p>
<p>Also will the directory do some sort of intregrity checking
if you attempt to combine improper objectclasses either via
commandline or the admin gui?<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif"">Yes, although by default
389 will allow an entry to have multiple structural
objectclasses, but that will change in a future release,
so don't rely on that behavior.<br>
<br>
<br>
</span><o:p></o:p></p>
<p> <o:p></o:p></p>
<p>Thanks<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt">
Cary Anderson</span></b><o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">
</span></b><span style="font-size:12.0pt">916.464.5108</span><o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#333399">Linux
Support</span></b><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">
|</span></b><b><span style="font-size:12.0pt"> </span></b><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:maroon">Engineering
Dept</span></b><b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">.</span></b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif""><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>--<o:p></o:p></pre>
<pre>389 users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>