Why sambaAccount should be an auxiliary object class
Shahms E. King
shahms at shahms.com
Mon May 27 16:01:01 GMT 2002
Yes, you are right, the only reason (that I can remember right now) for
it not being an auxiliary object class was that OpenLDAP didn't check
such things, there might be another reason(s) (and probably are) but I
can't remember them off the of my head.
--Shahms
On Mon, 2002-05-27 at 09:06, Norbert Klasen wrote:
> Hi,
> the sambaAccount object class is used by Samba to store its account
> information in a directory. It is defined as (samba.schema from samba
> 2.2.4):
>
> objectclass ( 1.3.6.1.4.1.7165.2.2.2
> NAME 'sambaAccount'
> SUP top
> STRUCTURAL
> DESC 'Samba Account'
> MUST ( uid $ rid )
> MAY ( cn $ lmPassword $ [...] ))
>
> While it may be convenient to use a structural object class in a directory
> service that will only hold information about Samba accounts this
> effectively precludes the integration of such data into existing services.
> Such services generally use "account" or "person" (or one of its
> descendants like "inetOrgPerson") as structural object class. However, the
> X.500 and thus the LDAP data model only allows one "structural object class
> of an entry". An entry must have "precisely one structural object class
> superclass chain which has a single structural object class as the most
> subordinate object class". That is, an entry may not be member of both
> "sambaAccount" and, for example, "inetOrgPerson" as neither is derived from
> the other.
>
> Current version of OpenLDAP (and maybe other directory servers) do not
> validate superclass chains in their schema check, but the upcoming 2.1
> release will enforce this restriction.
>
> We at DAASI suggest that "sambaAccount" is redefined (new OID, new name?)
> as an AUXILIARY object class. For Samba-only repositories, the "account"
> object class should be used as structural object class just as RFC2307
> suggests for "posixAccount".
>
> --
> Dipl.-Inform. Norbert Klasen
> DAASI International GmbH phone: +49 7071 29 70336
> Wilhelmstr. 106 fax: +49 7071 29 5114
> 72074 Tübingen email: norbert.klasen at daasi.de
> Germany web: http://www.daasi.de
>
>
>
>
More information about the samba-technical
mailing list