[Freeipa-devel] Questions about LDAP Attribute Usage

Thu Aug 16 20:45:55 UTC 2007

Máirín Duffy wrote:
> Hey,
>
> I've skimmed through RFC2256, but I'm still having trouble 
> understanding it how exactly some of the attributes in LDAP are 
> actually used. For example:
>
> "5.52. houseIdentifier This attribute is used to identify a building 
> within a location."
>
> That still doesn't illustrate its usage very well. If there was an 
> example I think it would be more clear. For instance, if your street 
> address is '123 Sesame Street' and the '123' was considered the 
> houseIdentifier, that would make sense to me but I don't know if that 
> is the intended usage of this attribute. Sometimes the attributes 
> don't even have *that* much of an explanation:
>
> "5.17. postalAddress
> ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch
>      SUBSTR caseIgnoreListSubstringsMatch
>      SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )"
>
> Is the postalAddress supposed to be just the '123 Sesame Street' part? 
> Or is it the whole 'Joe Smith, 123 Sesame Street, New York, NY 10001' 
> text? If so, how is this information stored, all in one blob in the 
> attribute?
> Also, how would the postalAddress attribute interact with seemingly 
> related attributes like 'postalCode' and 'postOfficeBox'? How does one 
> deal with international postal addresses as well - are any special 
> considerations needed here?
>
> I also have some more general questions (I apologize for the n00bness 
> of all these!):
>
> 1. Can attributes contain each other? Could 'postalCode' be inserted 
> into 'postalAddress' ?
You mean, something like
postalAddress: $houseIdentifier Sesame Street $ Anytown, IA $postalCode

No.  LDAP has no provision for macro or variable substitution.
>
> 2. Can one user have multiples of an attribute? For example, a 
> postalAddress for home and a postalAddress for office and a 
> postalAddress for deliveries? Or can they only have one of each 
> attribute?
It depends on if the attribute is defined as SINGLE-VALUE or not.  But 
in LDAP attribute values are not ordered, and there is no well defined 
or standard mechanism for distinguishing different purposes for each 
value in a multi-valued attribute.  In this case, it is better to create 
new attributes e.g. workPostalAddress, deliveryPostalAddress, etc.
>
> 3. If users can have multiple of the same attribute, is there any way 
> to guarantee ordering between them, so in the context of a company 
> employee the office version of postalAddress is used first?
No.  Attribute values in LDAPv3 are SETs, which have no ordering 
guarantees.  OpenLDAP supports a way to keep ordered lists, but 
Fedora/Red Hat DS does not support that.
>
> 4. When mapping attributes to fields in the webui, is there any 
> document more useful than RFC2256 for understanding better the common 
> usages of many of these attributes?
I think http://www.ietf.org/rfc/rfc4517.txt can clarify most of these.  
As you have discovered, RFC2256 is woefully incomplete, which is why 
rfc4511-4517 (LDAPv3bis) were created to revise 2251-2256 (LDAPv3).
>
> 5. With respect to FreeIPA v1, are any of these attributes about users 
> absolutely *required* in all or most usages? I understand a user's 
> particular policy may dictate different requirements, but for v1 are 
> there going to be a default set of requirements that can be 
> customizable in later versions? Or will the required fields always be 
> customizable?

>
> Thanks!
> ~m
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070816/75d65eb1/attachment.bin>