Re: Antw: Re: All entries belong to the top object class?
On 04/28/15 13:22, Christian Kratzer wrote: Hi, On Mon, 27 Apr 2015, Quanah Gibson-Mount wrote: --On Tuesday, April 28, 2015 10:58 AM +0530 dE wrote: Yes, so subclasses do not define MAY; it's defined by the MAY of the top object class. The "top" objectClass does not contain *any* MAY attributes. I wonder if you are confused in thinking of "top" as a generic term. It is not. "top" is a very specific objectClass that is explicitly defined as noted previously. It contains a single MUST attribute. one of my customers has an enterprise provisioning tool from a well known large supplier of such systems. The developers of that tool insist that they want to see an explit "objectClass: top" in all objects. It hurts every single time I have to look at that specific directory. Greetings Christian Thank you everyone for the help! I under now.
Re: All entries belong to the top object class?
On Tue, Apr 28, 2015 at 10:21:25AM +0530, dE wrote: > >No. 'top' is defined in RFC4512: > > > > ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) > > > >so every entry MUST contain an objectclass attribute. > >It does not say anything about any other attributes. > > Yeah, so that's the question, can any attribute which is in the MAY > of the top object class be added to any entry in the DIT regardless > of what object class it belongs to? The top object class does not have any MAY attributes. If it did then yes you could use them in any entry in the DIT as all normal entries are members of top. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: All entries belong to the top object class?
dE wrote: On 04/26/15 23:37, Michael Ströder wrote: You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. That's the source of all confusion. There is no IETF mailing list to discuss these issues. General LDAP discussion occurs on l...@umich.edu We generally expect you to already know LDAP before coming to the OpenLDAP mailing lists. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Antw: Re: All entries belong to the top object class?
Hi, On Mon, 27 Apr 2015, Quanah Gibson-Mount wrote: --On Tuesday, April 28, 2015 10:58 AM +0530 dE wrote: Yes, so subclasses do not define MAY; it's defined by the MAY of the top object class. The "top" objectClass does not contain *any* MAY attributes. I wonder if you are confused in thinking of "top" as a generic term. It is not. "top" is a very specific objectClass that is explicitly defined as noted previously. It contains a single MUST attribute. one of my customers has an enterprise provisioning tool from a well known large supplier of such systems. The developers of that tool insist that they want to see an explit "objectClass: top" in all objects. It hurts every single time I have to look at that specific directory. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/
Re: Antw: Re: All entries belong to the top object class?
--On Tuesday, April 28, 2015 10:58 AM +0530 dE wrote: Yes, so subclasses do not define MAY; it's defined by the MAY of the top object class. The "top" objectClass does not contain *any* MAY attributes. I wonder if you are confused in thinking of "top" as a generic term. It is not. "top" is a very specific objectClass that is explicitly defined as noted previously. It contains a single MUST attribute. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: All entries belong to the top object class?
--On Tuesday, April 28, 2015 10:56 AM +0530 dE wrote: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;- objectClass, clearly. No. Everything else. You are clearly confused. There *is* no everything else for the "top" objectclass. It defines one and only one attribute that MUST be present. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: All entries belong to the top object class?
On 04/19/15 11:42, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object class will always be there. Or is it that only the most subordinate object class in the multivalued attribute is considered by the client and server? Ok. It appears that I've some other confusion. Starting a new discussion about that.
Re: All entries belong to the top object class?
On 04/27/15 02:07, Dieter Klünter wrote: Am Sun, 26 Apr 2015 21:05:44 +0530 schrieb dE : On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( NAME 'B' SUP A ) Ciao, Michael. Ok. So the significance of subordinate classes is to add a MUST attributes only. The possible attributes that any object can have is defined in the TOP object class; regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. NO! The abstract objectClass 'top' only provides the attribute 'objectClass'. From schema_prep.c ( 2.5.6.0 NAME 'top' " "DESC 'top of the superclass chain' " "ABSTRACT MUST objectClass )", -Dieter That's the MUST, I'm talking about the MAY.
Re: All entries belong to the top object class?
On 04/21/15 15:36, Andrew Findlay wrote: On Mon, Apr 20, 2015 at 11:06:07AM +0530, dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. 'top' is defined in RFC4512: ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) so every entry MUST contain an objectclass attribute. It does not say anything about any other attributes. Yeah, so that's the question, can any attribute which is in the MAY of the top object class be added to any entry in the DIT regardless of what object class it belongs to?
Re: Antw: Re: All entries belong to the top object class?
On 04/21/15 11:43, Ulrich Windl wrote: dE schrieb am 20.04.2015 um 07:36 in Nachricht <55349047.7020...@gmail.com>: On 04/20/15 00:59, Ryan Tandy wrote: On Sun, Apr 19, 2015 at 11:42:16AM +0530, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object class will always be there. Basically correct. Note "implicitly" means it's treated as present, even if the entry doesn't actually contain "objectClass: top". Or is it that only the most subordinate object class in the multivalued attribute is considered by the client and server? The following facts may answer your question: - every entry satisfies the filter "(objectClass=top)". - an entry with "objectClass: inetOrgPerson" satisfies the filter "(objectClass=person)". I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? I'd say: It adds no attributes at all to the entry automagically, but the MUST attributes have to be provided while the MAY attributes may be provided. If an entry is created, it will contain all the valid attributes you provide (no entry is created if you supply invalid attributes). Regards, Ulrich Yes, so subclasses do not define MAY; it's defined by the MAY of the top object class.
Re: All entries belong to the top object class?
On 04/27/15 06:10, Quanah Gibson-Mount wrote: On Apr 26, 2015, at 12:45 PM, Mattes wrote: Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder schrieb: Also I don't understand what the term "significance of subordinate classes" means to you in this context. Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it actually means 'subclass'? When talking about LDAP the term 'subordinate' does have a well defined meaning (that is irrelevant to this discussion). The possible attributes that any object can have is defined in the TOP object class; No! regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. Hmm - but while this might be true it's a tautology. Given: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;- objectClass, clearly. No. Everything else. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. May I humbly reading suggest http://www.zytrax.com/books/ldap/ch3/ Zytrax should be avoided. Besides engaging in blatant illegal plagiarism, they often have completely erroneous information. --Quanah
Re: All entries belong to the top object class?
On 04/27/15 01:13, Mattes wrote: Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder schrieb: Also I don't understand what the term "significance of subordinate classes" means to you in this context. Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it actually means 'subclass'? When talking about LDAP the term 'subordinate' does have a well defined meaning (that is irrelevant to this discussion). Actually I meant subclass. The possible attributes that any object can have is defined in the TOP object class; No! regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. Hmm - but while this might be true it's a tautology. Given: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;-) All MAY attributes. Of course the MUST must be there, but from what I understand all MAY attributes in top can also be added regardless of what subclass the entry belongs to. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. May I humbly reading suggest http://www.zytrax.com/books/ldap/ch3/ Cheers, RalfD What that book says is different from what the RFC says. besides I'm interested in reading the latest RFC.
Re: All entries belong to the top object class?
On 04/26/15 23:37, Michael Ströder wrote: dE wrote: On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( NAME 'B' SUP A ) Ok. So the significance of subordinate classes is to add a MUST attributes only. No! Which text in RFC 4512 says that? It's implied from When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added Also I don't understand what the term "significance of subordinate classes" means to you in this context. I mean object classes subordinate to the TOP object class. The possible attributes that any object can have is defined in the TOP object class; No! But that's what you said. These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( NAME 'B' SUP A ) So entries belonging to object class B can have all attributes of object class A, in a similar way the possible attributes that any object can have is defined by the TOP object class. regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. That's the source of all confusion. There is no IETF mailing list to discuss these issues.
Re: All entries belong to the top object class?
On Sat, Apr 25, 2015 at 05:58:43PM +0530, dE wrote: > Does adding of the top object class (implicitly) make it possible to > add all attributes in the DIT to the entry? I'm talking about > attributes which are out of the 'MAY' in the most subordinate object > class the entry belong to. If you really want to permit *any* attribute to be added to an entry, then you can add the ExtensibleObject objectclass. In general this is a *bad* thing to do. See RFC4512 section 4.3 for the definition. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: All entries belong to the top object class?
> On Apr 26, 2015, at 12:45 PM, Mattes wrote: > > > Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder > schrieb: > > >> >> Also I don't understand what the term "significance of subordinate classes" >> means to you in this context. > > Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it > actually > means 'subclass'? When talking about LDAP the term 'subordinate' does have > a well > defined meaning (that is irrelevant to this discussion). > >>> The possible attributes that any object can have is defined in the TOP >>> object >>> class; >> >> No! >> >>> regardless of what object class the entry belongs to, any attribute >>> listed in the TOP object class can be added to it. > > Hmm - but while this might be true it's a tautology. Given: > > objectclass ( 2.5.6.0 NAME 'top' ABSTRACT >MUST objectClass ) > > What attributes of 'TOP' are you talking about? ;- objectClass, clearly. >> >> You should really read RFC 4512 more carefully and look at existing >> subschema. >> I give up now to explain. > > May I humbly reading suggest http://www.zytrax.com/books/ldap/ch3/ Zytrax should be avoided. Besides engaging in blatant illegal plagiarism, they often have completely erroneous information. --Quanah > > > > > >
Re: All entries belong to the top object class?
Am Sun, 26 Apr 2015 21:05:44 +0530 schrieb dE : > On 04/26/15 17:13, Michael Ströder wrote: > > dE wrote: > >> Super this is the superclass chain -- > >> > >> A->B > >> > >> A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) > >> B is defined by MUST ObjectClass MAY ( cn cxy ) > >> > >> Then an entry belonging to B (explicit) and A (implicit, > >> automatically added) > >> cannot have attributes abc and xyz. > > > > No! > > > > B would have MAY ( cn abc xyz cxy ). > > > > Example for A: > > > > objectclass ( > > NAME 'A' > > MAY ( cn $ abc $ xyz $ cxy ) ) > > > > These three variants have the same MAY attribute set ( cn $ abc $ > > xyz $ cxy ): > > > > objectclass ( > > NAME 'B' > > SUP A > > MAY ( cn $ cxy ) ) > > > > objectclass ( > > NAME 'B' > > SUP A > > MAY ( cn $ abc $ xyz $ cxy ) ) > > > > objectclass ( > > NAME 'B' > > SUP A ) > > > > Ciao, Michael. > > > > > > Ok. > > So the significance of subordinate classes is to add a MUST > attributes only. The possible attributes that any object can have is > defined in the TOP object class; regardless of what object class the > entry belongs to, any attribute listed in the TOP object class can be > added to it. NO! The abstract objectClass 'top' only provides the attribute 'objectClass'. From schema_prep.c ( 2.5.6.0 NAME 'top' " "DESC 'top of the superclass chain' " "ABSTRACT MUST objectClass )", -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"Ea
Re: All entries belong to the top object class?
Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder schrieb: > > Also I don't understand what the term "significance of subordinate classes" > means to you in this context. Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it actually means 'subclass'? When talking about LDAP the term 'subordinate' does have a well defined meaning (that is irrelevant to this discussion). > > The possible attributes that any object can have is defined in the TOP > > object > > class; > > No! > > > regardless of what object class the entry belongs to, any attribute > > listed in the TOP object class can be added to it. Hmm - but while this might be true it's a tautology. Given: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;-) > > You should really read RFC 4512 more carefully and look at existing subschema. > I give up now to explain. May I humbly reading suggest http://www.zytrax.com/books/ldap/ch3/ Cheers, RalfD
Re: All entries belong to the top object class?
dE wrote: On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( NAME 'B' SUP A ) Ok. So the significance of subordinate classes is to add a MUST attributes only. No! Which text in RFC 4512 says that? Also I don't understand what the term "significance of subordinate classes" means to you in this context. The possible attributes that any object can have is defined in the TOP object class; No! regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: All entries belong to the top object class?
On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( NAME 'B' SUP A ) Ciao, Michael. Ok. So the significance of subordinate classes is to add a MUST attributes only. The possible attributes that any object can have is defined in the TOP object class; regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it.
Re: All entries belong to the top object class?
dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( NAME 'B' SUP A ) Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: All entries belong to the top object class?
On 04/26/15 15:27, Michael Ströder wrote: dE wrote: On 04/20/15 22:56, Michael Ströder wrote: dE wrote: Does adding of the top object class (or person) add all attributes to the entry? Nope. Which text in RFC 4512 leads to your presumption? Sorry for the late response. I was out of town. From the responses, it appears the question has not been understood correctly, Yes, very likely. But maybe you also did not understand the responses? Does adding of the top object class (implicitly) make it possible to add all attributes in the DIT to the entry? No. Please read RFC 4512 more closely. You could also read some source code, e.g. method SubSchema.attribute_types() herein: http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Lib/ldap/schema/subentry.py?revision=1.34&view=markup Ciao, Michael. Ok, then that makes it clear. Thank you for clearing that. Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz.
Re: All entries belong to the top object class?
On 04/26/15 10:46, Howard Chu wrote: dE wrote: On 04/20/15 22:10, Quanah Gibson-Mount wrote: --On Monday, April 20, 2015 12:06 PM +0530 dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. Look up the difference between "MUST" and "MAY". It means it is *possible* to set any of the attributes in an entry, with a value. MUST attributes are required, MAY are optional. Ok, so you can add attributes which are not included in the 'MAY' of the most subordinate object class the entry belongs to. Location in the objectclass hierarchy is irrelevant here. You can add attributes that are included in the MUST or MAY of *any* of the classes associated with the object. And *any* includes all object classes in the superclass chain of the object classes the entry explicitly belongs to?
Re: All entries belong to the top object class?
Howard Chu wrote: Most LDAP deployments don't use DIT content rules, I doubt this statement is true given that MS Active Directory makes heavy use of DIT content rules. so there are usually no limits on which auxiliary classes may be used. A schema-aware LDAP client not capable of dealing with DIT content rules cannot do any meaningful with MS AD. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: All entries belong to the top object class?
dE wrote: On 04/20/15 22:56, Michael Ströder wrote: dE wrote: Does adding of the top object class (or person) add all attributes to the entry? Nope. Which text in RFC 4512 leads to your presumption? Sorry for the late response. I was out of town. From the responses, it appears the question has not been understood correctly, Yes, very likely. But maybe you also did not understand the responses? Does adding of the top object class (implicitly) make it possible to add all attributes in the DIT to the entry? No. Please read RFC 4512 more closely. You could also read some source code, e.g. method SubSchema.attribute_types() herein: http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Lib/ldap/schema/subentry.py?revision=1.34&view=markup Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: All entries belong to the top object class?
dE wrote: On 04/20/15 22:10, Quanah Gibson-Mount wrote: --On Monday, April 20, 2015 12:06 PM +0530 dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. Look up the difference between "MUST" and "MAY". It means it is *possible* to set any of the attributes in an entry, with a value. MUST attributes are required, MAY are optional. Ok, so you can add attributes which are not included in the 'MAY' of the most subordinate object class the entry belongs to. Location in the objectclass hierarchy is irrelevant here. You can add attributes that are included in the MUST or MAY of *any* of the classes associated with the object. An object can only have one governing structural object class, but can have arbitrarily many auxiliary object classes, as limited by any DIT content rules that may be in effect for that structural class. Most LDAP deployments don't use DIT content rules, so there are usually no limits on which auxiliary classes may be used. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: All entries belong to the top object class?
On 04/20/15 22:10, Quanah Gibson-Mount wrote: --On Monday, April 20, 2015 12:06 PM +0530 dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. Look up the difference between "MUST" and "MAY". It means it is *possible* to set any of the attributes in an entry, with a value. MUST attributes are required, MAY are optional. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration Ok, so you can add attributes which are not included in the 'MAY' of the most subordinate object class the entry belongs to.
Re: All entries belong to the top object class?
On 04/20/15 22:56, Michael Ströder wrote: dE wrote: Does adding of the top object class (or person) add all attributes to the entry? Nope. Which text in RFC 4512 leads to your presumption? Ciao, Michael. Sorry for the late response. I was out of town. From the responses, it appears the question has not been understood correctly, I what I meant to ask was -- Does adding of the top object class (implicitly) make it possible to add all attributes in the DIT to the entry? I'm talking about attributes which are out of the 'MAY' in the most subordinate object class the entry belong to.
Re: All entries belong to the top object class?
On Mon, Apr 20, 2015 at 11:06:07AM +0530, dE wrote: > I'm concerned about the attributes. Does adding of the top object > class (or person) add all attributes to the entry? No. 'top' is defined in RFC4512: ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) so every entry MUST contain an objectclass attribute. It does not say anything about any other attributes. In any case, objectclasses do not directly add attributes to entries. They do permit (MAY) or require (MUST) certain attributes. It is up to the user or application to supply values for MUST attributes and for any MAY attributes that you want to use. LDAP does not support 'present but empty' attributes, so there must be a non-null value in each MUST attribute. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: All entries belong to the top object class?
--On Monday, April 20, 2015 12:06 PM +0530 dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. Look up the difference between "MUST" and "MAY". It means it is *possible* to set any of the attributes in an entry, with a value. MUST attributes are required, MAY are optional. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: All entries belong to the top object class?
On 04/20/15 00:59, Ryan Tandy wrote: On Sun, Apr 19, 2015 at 11:42:16AM +0530, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object class will always be there. Basically correct. Note "implicitly" means it's treated as present, even if the entry doesn't actually contain "objectClass: top". Or is it that only the most subordinate object class in the multivalued attribute is considered by the client and server? The following facts may answer your question: - every entry satisfies the filter "(objectClass=top)". - an entry with "objectClass: inetOrgPerson" satisfies the filter "(objectClass=person)". I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry?
Re: All entries belong to the top object class?
On Sun, Apr 19, 2015 at 11:42:16AM +0530, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object class will always be there. Basically correct. Note "implicitly" means it's treated as present, even if the entry doesn't actually contain "objectClass: top". Or is it that only the most subordinate object class in the multivalued attribute is considered by the client and server? The following facts may answer your question: - every entry satisfies the filter "(objectClass=top)". - an entry with "objectClass: inetOrgPerson" satisfies the filter "(objectClass=person)".