On Wed, Nov 26, 2008 at 05:31:59PM +0200, Buchan Milne wrote:
On Wednesday 26 November 2008 17:03:55 Mansour Al Akeel wrote:
Thank you Michael, but posixAccount doesn't require the password, which makes it not suitable for authentication.
But, inetOrgPerson (as it inherits from person) allows userPassword, so this is irrelevant.
It is also worth pointing out that making attributes mandatory (using MUST in schema files) is usually a bad idea. It can severely restrict your flexibility when creating entries, and often leads to silly workarounds like creating objects with dummy attribute values just to satisfy the rules.
This mistake was made in several of the early objectclass definitions. One example is groupOfNames where the definition makes it impossible to have an empty group.
You may find my Schema Design paper helpful:
http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/index.html
Andrew