Why sambaAccount should be an auxiliary object class

Shahms E. King shahms at shahms.com
Mon May 27 16:01:01 GMT 2002


Yes, you are right, the only reason (that I can remember right now) for
it not being an auxiliary object class was that OpenLDAP didn't check
such things, there might be another reason(s) (and probably are) but I
can't remember them off the of my head.

--Shahms
On Mon, 2002-05-27 at 09:06, Norbert Klasen wrote:
> Hi,
> the sambaAccount object class is used by Samba to store its account 
> information in a directory. It is defined as (samba.schema from samba 
> 2.2.4):
> 
> objectclass ( 1.3.6.1.4.1.7165.2.2.2
>         NAME 'sambaAccount'
>         SUP top
>         STRUCTURAL
>         DESC 'Samba Account'
>         MUST ( uid $ rid )
>         MAY  ( cn $ lmPassword $ [...] ))
> 
> While it may be convenient to use a structural object class in a directory 
> service that will only hold information about Samba accounts this 
> effectively precludes the integration of such data into existing services. 
> Such services generally use "account" or "person" (or one of its 
> descendants like "inetOrgPerson") as structural object class. However, the 
> X.500 and thus the LDAP data model only allows one "structural object class 
> of an entry". An entry must have "precisely one structural object class 
> superclass chain which has a single structural object class as the most 
> subordinate object class". That is, an entry may not be member of both 
> "sambaAccount" and, for example, "inetOrgPerson" as neither is derived from 
> the other.
> 
> Current version of OpenLDAP (and maybe other directory servers) do not 
> validate superclass chains in their schema check, but the upcoming 2.1 
> release will enforce this restriction.
> 
> We at DAASI suggest that "sambaAccount" is redefined (new OID, new name?) 
> as an AUXILIARY object class. For Samba-only repositories, the "account" 
> object class should be used as structural object class just as RFC2307 
> suggests for "posixAccount".
> 
> -- 
> Dipl.-Inform. Norbert Klasen
> DAASI International GmbH                 phone: +49 7071 29 70336
> Wilhelmstr. 106                          fax:   +49 7071 29 5114
> 72074 Tübingen                           email: norbert.klasen at daasi.de
> Germany                                  web:   http://www.daasi.de
> 
> 
> 
> 




More information about the samba-technical mailing list