4

Having used openldap and now getting to know MS active directory (AD), I realize that in AD there is an attribute called "systemPossSuperiors", which defines which objects are allowed as parent objects. Afaik this is not present in openldap. (How is decided which objects are allowed as parents in openldap?)

Can anyone shed some light on this design decision? Does having systemPossSuperiors make AD more robust? Or more flexible? I am just curious about why one would choose to do it this or the other way.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Isaac
  • 1,215
  • 3
  • 26
  • 44
  • Can you let us know what technical problem you're facing that you're trying to solve? If you're asking "why was this designed this way", I'm not sure this is the correct site to answer that question. – mfinni Aug 14 '13 at 14:03
  • It is not a technical problem, I am asking purely out of curiosity. If you could suggest a better site, I would be greatefull. – Isaac Aug 14 '13 at 14:07
  • I don't know of a better site; please read the "Help" link at the top for the reasons that this site isn't the right place. Specifically, "http://serverfault.com/help/dont-ask" : "You should only ask practical, answerable questions based on actual problems that you face. Chatty, open-ended questions diminish the usefulness of our site and push other questions off the front page." – mfinni Aug 14 '13 at 14:36

1 Answers1

4

This is a constraint. Some object relationships are only appropriate with other objects of a specific type.

Consider the printQueue class: 

systemPossSuperiors: organizationalUnit, domainDNS, container, computer

A printer can be a child object of a computer, but there isn't any use for it as a child of a user or contact object. Printers are devices that are typically connected to some other physical device or associated with a container or location.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • I see. On the other hand, since these kinds of logical/organizational facts should naturally lead to these associations, I don't see why there is a need for a constraint. Moreover, since if I really need something beyond the constraint, I can modify the schema, and off I go with my special association of objects. Wouldn't it be easier to just dump systemPossSuperiors, and let admins have less work? Or is part of a (hypothetical) philosophy of MS to "guide" admins with something they consider to be best practises, but still give them freedom to do what they want? – Isaac Aug 15 '13 at 06:02
  • 2
    The point of constraints is to prevent someone from inadvertently creating relationships that are invalid. If that is of no value to you, ignore it. – Greg Askew Aug 15 '13 at 12:03