[Freeipa-devel] Questions about LDAP Attribute Usage
Richard Megginson
rmeggins at redhat.com
Thu Aug 16 20:45:55 UTC 2007
Máirín Duffy wrote:
> Hey,
>
> I've skimmed through RFC2256, but I'm still having trouble
> understanding it how exactly some of the attributes in LDAP are
> actually used. For example:
>
> "5.52. houseIdentifier This attribute is used to identify a building
> within a location."
>
> That still doesn't illustrate its usage very well. If there was an
> example I think it would be more clear. For instance, if your street
> address is '123 Sesame Street' and the '123' was considered the
> houseIdentifier, that would make sense to me but I don't know if that
> is the intended usage of this attribute. Sometimes the attributes
> don't even have *that* much of an explanation:
>
> "5.17. postalAddress
> ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
> SUBSTR caseIgnoreListSubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )"
>
> Is the postalAddress supposed to be just the '123 Sesame Street' part?
> Or is it the whole 'Joe Smith, 123 Sesame Street, New York, NY 10001'
> text? If so, how is this information stored, all in one blob in the
> attribute?
> Also, how would the postalAddress attribute interact with seemingly
> related attributes like 'postalCode' and 'postOfficeBox'? How does one
> deal with international postal addresses as well - are any special
> considerations needed here?
>
> I also have some more general questions (I apologize for the n00bness
> of all these!):
>
> 1. Can attributes contain each other? Could 'postalCode' be inserted
> into 'postalAddress' ?
You mean, something like
postalAddress: $houseIdentifier Sesame Street $ Anytown, IA $postalCode
No. LDAP has no provision for macro or variable substitution.
>
> 2. Can one user have multiples of an attribute? For example, a
> postalAddress for home and a postalAddress for office and a
> postalAddress for deliveries? Or can they only have one of each
> attribute?
It depends on if the attribute is defined as SINGLE-VALUE or not. But
in LDAP attribute values are not ordered, and there is no well defined
or standard mechanism for distinguishing different purposes for each
value in a multi-valued attribute. In this case, it is better to create
new attributes e.g. workPostalAddress, deliveryPostalAddress, etc.
>
> 3. If users can have multiple of the same attribute, is there any way
> to guarantee ordering between them, so in the context of a company
> employee the office version of postalAddress is used first?
No. Attribute values in LDAPv3 are SETs, which have no ordering
guarantees. OpenLDAP supports a way to keep ordered lists, but
Fedora/Red Hat DS does not support that.
>
> 4. When mapping attributes to fields in the webui, is there any
> document more useful than RFC2256 for understanding better the common
> usages of many of these attributes?
I think http://www.ietf.org/rfc/rfc4517.txt can clarify most of these.
As you have discovered, RFC2256 is woefully incomplete, which is why
rfc4511-4517 (LDAPv3bis) were created to revise 2251-2256 (LDAPv3).
>
> 5. With respect to FreeIPA v1, are any of these attributes about users
> absolutely *required* in all or most usages? I understand a user's
> particular policy may dictate different requirements, but for v1 are
> there going to be a default set of requirements that can be
> customizable in later versions? Or will the required fields always be
> customizable?
>
> Thanks!
> ~m
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070816/75d65eb1/attachment.bin>
More information about the Freeipa-devel
mailing list