Rich Megginson wrote: > Jeff Clowser wrote: > >> suppose that might be more clearly stated in the X.501 spec?). >> Sounds like I am stepping into an LDAP/X.50x holy war :) > > I'm sure the folks on the ldap umich list will be happy to provide > their interpretations :-) Heh :) > I propose the creation of a new objectclass that will be AUXILIARY and > also be a subclass of posixAccount. This objectclass will contain the > "host" attribute (other attributes?). In order to make host based > access restriction work, you would simply add this objectclass and > host attribute to any existing user, even if they already have the > posixAccount objectclass. I'm not sure what a good name for this > objectclass would be - perhaps posixAccountExt or ??? At any rate, > applications that use the search filter (objectclass=posixAccount) to > get entries that contain the host attribute would continue to work. > This would simplify new account creation because you could just use > the new objectclass instead of posixAccount and it would inherit all > of the posixAccount attributes. > Are you proposing this simply as "lets all agree on this list on something", as "a schema extension that comes with FDS", or as a new standard oc, with properly registered OIDs and all? If a new standard oc, how hard is it to do that - not something I've ever done. I would like the third mainly because it makes it easier for for interoperability, but I can live with either of the other two. Would make sense to discuss if there are other attributes to add while we're at it. - Jeff
