Re: Question regarding Combining ObjectClasses to add attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The second link you provided (at port 389.org) specifically mentions using the “account” objectclass.  I don’t have access to RHN to read the first link, though.

 

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Rich Megginson
Sent: Tuesday, July 10, 2012 8:46 AM
To: Anderson, Cary@CIO
Cc: 'General discussion list for the 389 Directory server project.'
Subject: Re: Question regarding Combining ObjectClasses to add attributes

 

On 07/10/2012 09:01 AM, Anderson, Cary@CIO wrote:

Thanks for the quick response.

 

The RHN knowledgebase article I found was titled:  "How to use "host" attribute to limit ldap users can be accessed by specified host?"  kb# 65838

https://access.redhat.com/knowledge/solutions/65838


It doesn't say anything about an "Account" objectclass.

See also http://port389.org/wiki/Howto:Posix


 

 

 

From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Sent: Monday, July 09, 2012 9:14 AM
To: General discussion list for the 389 Directory server project.
Cc: Anderson, Cary@CIO
Subject: Re: Question regarding Combining ObjectClasses to add attributes

 

On 07/09/2012 09:44 AM, Anderson, Cary@CIO wrote:

I have recently started working with the Director Server, and I have read the documents for both 389 and RHDS, but I am having some difficulties regarding ObjectClass types, and combining them in order to extend the available attributes for an object.  The documents indicate that you can only have one Structural ObjectClass and multiple Aux. ObjectClasses, and I'm a bit hazy on the rules for Abstract ObjectClasses.  

If I take the example of needing to add the "host" attribute to a user object.  A RHN knowledgebase article indicates to add the "hostobject" ObjectClass rather than the "Account" ObjectClass.


Can you provide a link to this kbase article?



My assumption was that "hostobject" was an Aux. ObjectClass, and that "Account" was Structural, but when I look at the two ObjectClasses via the administrative GUI, they both have "Top" listed as the parent ObjectClass.  So I'm not certain why one is appropriate and the other is not.

It would appear the console does not tell you if the objectclass is structural, auxiliary, or abstract.  You cannot tell by just the inheritance - by default, all objectclasses have "top" as the superior unless otherwise specified.

This is the official LDAPv3 description - http://www.ietf.org/rfc/rfc4512.txt

An entry may have only one STRUCTURAL objectclass, and multiple AUXILIARY objectclasses.  Chances are you will want to use AUXILIARY objectclasses for your extra attributes (like posixAccount) and just use one of the pre-defined objectclasses (like inetOrgPerson) as your STRUCTURAL objectclass.



Moving forward I want to be able to combine ObjectClasses to extend available objects without introducing data integrity issues in my ldap directory.  I am looking for some clarification of rules regarding structural objectclasses,

See rfc4512


and if there is an easy way via the admin gui to tell the difference between structural, auxillary, and abstract objectclasses.

No.  You'll have to search cn=schema to check:
ldapsearch -xLLL -s base -b "cn=schema" "objectclass=*" objectclasses | perl -p0e 's/\n //g' | grep AUXILIARY

Note that ldapsearch wraps the output, so you'll have to use perl (or sed) to unwrap - see http://richmegginson.livejournal.com/18726.html


Also will the directory do some sort of intregrity checking if you attempt to combine improper objectclasses either via commandline or the admin gui?

Yes, although by default 389 will allow an entry to have multiple structural objectclasses, but that will change in a future release, so don't rely on that behavior.


 

Thanks

 

 

           Cary Anderson

              916.464.5108

Linux Support | Engineering Dept.

 





--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

 

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux