[Freeipa-devel] containers
Rich Megginson
rmeggins at redhat.com
Fri Nov 16 18:39:14 UTC 2007
John Dennis wrote:
> Simo Sorce wrote:
>> Ok you just got it wrong, in this context namespaces == objectClasses in
>> LDAP, the tree is not.
>
> Every book I've read on LDAP uses tree structure to partition data, I
> guess they got it wrong too :-)
The hierarchy came from X.500, which actually has a very rigid hierarchy
that you must conform to. One of the things that makes LDAP
"lightweight" is that it allows you to create your own tree structure
much more easily. What we have found over several years is that it
makes deployments much easier to have a flat name space and use
attributes in entries to control group membership, roles, access
control, etc. rather than basing all of these on which container the
entry is in.
However, Active Directory places a great deal of emphasis on hierarchy,
using container as the default grouping mechanism, meaning entries are
moved into and between containers very often, organizations may have
hundreds of containers, nested containers, etc.
>
> An objectClass is equivalent to a struct not a namespace. That's like
> saying all variables of type X can only be stored in the same global
> array.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071116/d036ac83/attachment.bin>
More information about the Freeipa-devel
mailing list