directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject [SchemaService]
Date Fri, 19 Jan 2007 22:33:58 GMT
Hi guys,

I have been working for the last 3 days on DIRSERVER-758, and while 
trying to fix it, I just felt like I have found something pretty ugly. I 
need your opinion on some points, and choices.

Just to summarize, DIRSERVER-758 was about creating an entry with 
attributes not existing or not part of any objectclasses.

For instance, here is one kind of entry which is problematic :

dn: c=france, ou=system
objectclass : inetOrgPerson
sn: emmanuel

This entry has four problems :
1) The 'c' attribute is not declared in the entry's attributes
2) The 'c' attribute is associated with the 'country' object class, 
which is not listed as an attribute for this entry
3) Some object classes are missing : 'top', 'person', 
'organizationalPerson' and of course 'country'
4) Som attributs are missing : 'sn', 'cn', declared in objectclass 'person'

Ok, so far, it seems that this entry is not correct. Alas, we can inject 
it in the server :(

This is what I was trying to fix. Now, here are my questions :

1) Regarding missing ObjectClasses
We can add some of the missing ObjectClasses, like 'top', 'person', 
'organizationalPerson', because we have all the needed informations to 
rebuild the hierarchy starting from 'inetOrgPerson'.

  Q : Is it a good idea to do so, instead of simply rejecting the entry ?

2) Regarding missing attributes
If we have a RDN with an attribute not declared as an attribute of the 
entry, its should be rejected, as stated by RFC 2251 ( 4.7. Add Operation :

- attributes: the list of attributes that make up the content of the
     entry being added.  Clients MUST include distinguished values
     (those forming the entry's own RDN) in this list,..."

  Q : Is that ok with you to reject such entries ?

If an attribute is added to the entry, but without the associated ObjectClass, then it should
not be accepted, unless we have 
added the missing ObjectClass following 1-a above

  Q : wdyt ?

3) Reagrding use of JNDI API
In some place of the code ( mainly tests ), we use the Context.createSubcontext( name ) method.
This lead to a serious problem, because we have no 
clue about which objectclass to use and no clue about how to create MUST attributes if needed.
Consider a call where name is 
'ou=apache, ou=system', we will have to add an objectclass, but which one ? 'ou' is used by
applicationEntity <>,
applicationProcess, <>device,
groupOfNames <>, groupOfUniqueNames,
<> organizationalRole,
<> organizationalUnit,
<> organizationalPerson

Other cases are pretty obvious :
- an entry with missing attributes (declared as MUST in the entry's ObjectClass) should be
considered as an error
- an RDN like test=acme should not be accepted, unless 'test' is declared as a valid attribute.

Special cases are like collective attributes, extensibleObject objectclasses, operational
attributes, top, are supposed to be handled correctly.

Any ideas, comments, insight ?

Thanks !


View raw message