[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP support for DIT Structure Rules

To: James Lentini <jlentini@netapp.com>
Subject: Re: OpenLDAP support for DIT Structure Rules
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Tue, 2 Jun 2009 18:24:29 +0100
Cc: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <alpine.LFD.2.00.0906021125520.3892@jlentini-linux.nane.netapp.com>
References: <alpine.LFD.2.00.0906011246540.3892@jlentini-linux.nane.netapp.com> <4A2509B3.2090008@stroeder.com> <alpine.LFD.2.00.0906021125520.3892@jlentini-linux.nane.netapp.com>
User-agent: Mutt/1.5.17 (2007-11-01)

On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:

> An FSN is intended to be superior to its FSLs in a DIT. I was 
> considering including DIT Structure Rules in the draft as a way to 
> enforce this arrangement. However, I'm not inclined to do this if 
> popular LDAP implementations, such as OpenLDAP, don't support them.
> 
> If there is a standard, well supported mechanisms for enforcing DIT 
> structure, I'd be interested to know about it.

Standard - yes. Well supported - no. DIT Structure Rules along with
DIT Content Rules are the "standard" way to do this, but hardly anyone
implements them.

In fact very few LDAP servers can do what you describe by any means at
all. OpenLDAP can do it, using a combination of ACLs and DIT Content
Rules. Some of the other server products will partially enforce it
using ACLs, but there are ways to subvert that.

See section 10.2 of my paper on Access Control for some examples:

	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Follow-Ups:
- Re: OpenLDAP support for DIT Structure Rules
  - From: Howard Chu <hyc@symas.com>
- Re: OpenLDAP support for DIT Structure Rules
  - From: Michael Ströder <michael@stroeder.com>
- Re: OpenLDAP support for DIT Structure Rules
  - From: Terry Gardner <Terry.Gardner@Sun.COM>

References:
- OpenLDAP support for DIT Structure Rules
  - From: James Lentini <jlentini@netapp.com>
- Re: OpenLDAP support for DIT Structure Rules
  - From: Michael Ströder <michael@stroeder.com>
- Re: OpenLDAP support for DIT Structure Rules
  - From: James Lentini <jlentini@netapp.com>

Prev by Date: Adding a attribute of a new schema to an existing entry
Next by Date: Re: OpenLDAP support for DIT Structure Rules
Index(es):
- Chronological
- Thread