From: Clif H. <cl...@di...> - 2001-01-31 17:15:22
|
> > Clif Harden <cl...@di...> wrote: > >> > >> It is widely known that the Root DSE subschema mechanism described > >> in RFC 2251 is seriously broken. This approach should be avoided. > >> (I suspect this approach to be eliminated from the specification). > >> > >> If you want discover the subschema controlling a particular > >> entry, obtain the subschema from the DN contained in that entry's > >> subschemaSubentry attribute. If adding an entry, fetch the schema > > > > > > This is where part of the problem lies, according to RFC 2251 > > 3.2.1 subschemaSubentry is a MAY contain attribute. Many directory > > servers do not use subschemaSubentry, whether this is right or wrong > > engineering practice does not matter because it is legal according > > to the RFC. > > > > Maybe someone should work with the IETF to make subschemaSubentry a > > MUST contain attribute. Personally I think it should be a MUST contain > > attribute. > > (To clarify for those who don't have RFC 2251 open whilst reading this > thread, that section defines the operational attributes on each entry, > *not* the attributes in the root DSE.) Due to Kurt's use of "particular entry" I took this to mean any entry in the DIT besides the rootDSE. > > Yeah it should probably be a MUST, but clients must never expect to be able > to read it because there might be access controls in place which prevent > this. Very true statement about access controls, we put access controls on our operational attributes. > > Cheers, > > Chris > Later, Clif Harden c-h...@ti... |