[389-users] Question regarding Combining ObjectClasses to add attributes
Rich Megginson
rmeggins at redhat.com
Wed Jul 11 14:50:04 UTC 2012
On 07/10/2012 06:22 PM, Morris, Patrick wrote:
>
> The second link you provided (at port 389.org) specifically mentions
> using the “account” objectclass. I don’t have access to RHN to read
> the first link, though.
>
Ah, I see, under the "Old Method". I guess I should just get rid of that.
> *From:*389-users-bounces at lists.fedoraproject.org
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of *Rich
> Megginson
> *Sent:* Tuesday, July 10, 2012 8:46 AM
> *To:* Anderson, Cary at CIO
> *Cc:* 'General discussion list for the 389 Directory server project.'
> *Subject:* Re: [389-users] Question regarding Combining ObjectClasses
> to add attributes
>
> On 07/10/2012 09:01 AM, Anderson, Cary at CIO wrote:
>
> Thanks for the quick response.
>
> The RHN knowledgebase article I found was titled: "How to use "host"
> attribute to limit ldap users can be accessed by specified host?" kb#
> 65838
>
> https://access.redhat.com/knowledge/solutions/65838
>
>
> It doesn't say anything about an "Account" objectclass.
>
> See also http://port389.org/wiki/Howto:Posix
>
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Monday, July 09, 2012 9:14 AM
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* Anderson, Cary at CIO
> *Subject:* Re: [389-users] Question regarding Combining ObjectClasses
> to add attributes
>
> On 07/09/2012 09:44 AM, Anderson, Cary at CIO wrote:
>
> I have recently started working with the Director Server, and I have
> read the documents for both 389 and RHDS, but I am having some
> difficulties regarding ObjectClass types, and combining them in order
> to extend the available attributes for an object. The documents
> indicate that you can only have one Structural ObjectClass and
> multiple Aux. ObjectClasses, and I'm a bit hazy on the rules for
> Abstract ObjectClasses.
>
> If I take the example of needing to add the "host" attribute to a user
> object. A RHN knowledgebase article indicates to add the "hostobject"
> ObjectClass rather than the "Account" ObjectClass.
>
>
> Can you provide a link to this kbase article?
>
>
>
> My assumption was that "hostobject" was an Aux. ObjectClass, and that
> "Account" was Structural, but when I look at the two ObjectClasses via
> the administrative GUI, they both have "Top" listed as the parent
> ObjectClass. So I'm not certain why one is appropriate and the other
> is not.
>
> It would appear the console does not tell you if the objectclass is
> structural, auxiliary, or abstract. You cannot tell by just the
> inheritance - by default, all objectclasses have "top" as the superior
> unless otherwise specified.
>
> This is the official LDAPv3 description -
> http://www.ietf.org/rfc/rfc4512.txt
>
> An entry may have only one STRUCTURAL objectclass, and multiple
> AUXILIARY objectclasses. Chances are you will want to use AUXILIARY
> objectclasses for your extra attributes (like posixAccount) and just
> use one of the pre-defined objectclasses (like inetOrgPerson) as your
> STRUCTURAL objectclass.
>
>
>
> Moving forward I want to be able to combine ObjectClasses to extend
> available objects without introducing data integrity issues in my ldap
> directory. I am looking for some clarification of rules regarding
> structural objectclasses,
>
> See rfc4512
>
>
> and if there is an easy way via the admin gui to tell the difference
> between structural, auxillary, and abstract objectclasses.
>
> No. You'll have to search cn=schema to check:
> ldapsearch -xLLL -s base -b "cn=schema" "objectclass=*" objectclasses
> | perl -p0e 's/\n //g' | grep AUXILIARY
>
> Note that ldapsearch wraps the output, so you'll have to use perl (or
> sed) to unwrap - see http://richmegginson.livejournal.com/18726.html
>
>
> Also will the directory do some sort of intregrity checking if you
> attempt to combine improper objectclasses either via commandline or
> the admin gui?
>
> Yes, although by default 389 will allow an entry to have multiple
> structural objectclasses, but that will change in a future release, so
> don't rely on that behavior.
>
>
> Thanks
>
> * Cary Anderson*
>
> **916.464.5108
>
> *Linux Support**|****Engineering Dept**.*
>
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120711/cafe7dab/attachment.html>
More information about the 389-users
mailing list