Re: ITS#4556 ditStructureRules

[kurt@OpenLDAP.org]

On Feb 7, 2007, at 11:22 PM, hyc@symas.com wrote:

> I've often thought about adding support here, but it looks like an
> all-or-nothing proposition. I.e., when you have a server that uses
> ditStructureRules, you must actually define a full set of rules  
> otherwise you
> cannot add any user entries to the directory at all. This would be  
> a pretty
> drastic change for people accustomed to the current behavior, where  
> you can
> put any entry you like anywhere you like. Beginners have a hard  
> enough time
> just getting their first two entries into the directory; requiring  
> the use of
> ditStructureRules would seem to just make a bad situation worse.

It may be possible to do something similar to what was done for
ditContentRules, which are also all or none in X.500 (no rules defined
means no use of aux objectcleasses in X.500).   In OpenLDAP, no rules
means any use of auxiliary classes is okay.  But if you add a rule, any
rule, then these defined rules must be followed.

-- Kurt

>
> Possibly we could make it a configurable option - enable them with a
> per-database setting, defaulting to off to preserve the current  
> behavior.
> Fully aligning with X.500 practices would have to wait for a new  
> generation
> of server. E.g., we currently support the use of subdatabases using
> subordinate/glue. These provide some of the notion of X.500  
> Administrative
> Areas, except their definitions reside in the cn=config tree, not as
> subentries of the main DIT. Providing full subentry-based  
> administration
> would be a major change in how the server is operated and how the  
> DIT is
> administered. Something for OpenLDAP 3.0.
> -- 
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc
>    Chief Architect, OpenLDAP     http://www.openldap.org/project/
>
>