|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Access Control : How do I control the use of auxiliary object classes?|
It is easy to control the list of attributes that a user can add to an entry using access directives, but if you give them the ability to modify the objectclass attribute or to create new entries it is harder to restrict the objectclasses that they can use.
The solution to the problem is to use DIT Content Rules. These were introduced by X.500(1993) and have been supported by OpenLDAP since version 2.1.6. See section 4.1.6 of RFC4512 for the full definition.
Each DIT Content Rule applies to a single structural objectclass (identified by OID). It does not apply to superclasses or subclasses of the class identified in the rule.
A DIT Content Rule modifies the schema in any or all of these ways:
If a DIT Content Rule exists for a particular structural class then entries belonging to that class may only belong to auxiliary classes listed in the rule. This allows us to control the content of entries based on the structural class.
Here is an example of a rule that applies to inetOrgPerson (2.16.840.1.1137220.127.116.11) and permits only the uidObject auxiliary class:
ditcontentrule ( 2.16.840.1.113718.104.22.168 NAME 'dcrPerson' DESC 'inetOrgPerson entries may only be members of the uidObject aux class' AUX 22.214.171.124.1.3.1 )
Note that as DIT Content Rules are part of the schema, even the rootdn is bound by them in normal operation.
Note also that as OpenLDAP does not yet support different schema for specific subtrees, any DIT Content Rule will apply to all matching entries in all databases.
|[Append to This Answer]|
|Previous:||I have multiple access rules in slapd.conf, but some do not seem to work|
|Next:||How do I control the structure of the DIT?|