[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for DIT structure rules

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: ACL for DIT structure rules
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 12 Dec 2008 11:57:37 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <20081205125613.GB15879@tile.skills-1st.co.uk>
References: <49345468.6040007@gmail.com> <20081202153027.GL7078@tile.skills-1st.co.uk> <20081205123736.GA15879@tile.skills-1st.co.uk> <20081205125613.GB15879@tile.skills-1st.co.uk>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14

Andrew Findlay wrote:
> I should also point out that while the rules above do force every
> new entry to have objectClass=inetOrgPerson they do not prevent other
> auxiliary objectclasses from being added to the entry.

Limiting the AUXILIARY object classes could be covered by DIT content
rules which are supported by OpenLDAP. Well, not exactly, since DIT
content rules apply to the whole DIT of a single slapd instance since
OpenLDAP does not have the capability of defining separate subschema
subentries for subtrees (leaving proxy configurations aside).

Andrew, I think this would be a nice recipe for the FAQ-O-MATIC. Do you
have some spare time to add an article in section "Access Control"?
(see http://www.openldap.org/faq/data/cache/189.html)

Ciao, Michael.

Follow-Ups:
- Re: ACL for DIT structure rules
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

References:
- ACL for DIT structure rules
  - From: Mansour Al Akeel <mansour.alakeel@gmail.com>
- Re: ACL for DIT structure rules
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: ACL for DIT structure rules
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: ACL for DIT structure rules
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: OpenLDAP replication
Next by Date: Re: ACL for DIT structure rules
Index(es):
- Chronological
- Thread