Re: Net::LDAP::schema brokenness

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Clif Harden <cl...@di...> wrote:
>> 
>> It is widely known that the Root DSE subschema mechanism described
>> in RFC 2251 is seriously broken.  This approach should be avoided.
>> (I suspect this approach to be eliminated from the specification).
>> 
>> If you want discover the subschema controlling a particular
>> entry, obtain the subschema from the DN contained in that entry's
>> subschemaSubentry attribute.  If adding an entry, fetch the schema
> 
> 
> This is where part of the problem lies, according to RFC 2251 
> 3.2.1 subschemaSubentry is a MAY contain attribute.  Many directory 
> servers do not use subschemaSubentry, whether this is right or wrong 
> engineering practice does not matter because it is legal according 
> to the RFC.
> 
> Maybe someone should work with the IETF to make subschemaSubentry a 
> MUST contain attribute.  Personally I think it should be a MUST contain
> attribute.

(To clarify for those who don't have RFC 2251 open whilst reading this
thread, that section defines the operational attributes on each entry,
*not* the attributes in the root DSE.)

Yeah it should probably be a MUST, but clients must never expect to be able
to read it because there might be access controls in place which prevent
this.

Cheers,

Chris