RE: restricting attributes to become RDN , which objects are created

["Pierangelo Masarati" <ando@sys-net.it>]

> Why do you let users create their own objects?

Letting authorized users create objects is a legitimate policy. 
Restricting the form of a RDN by means of ACL is the only way an
administrator can enforce well-behaved entry creation by those users.

For example, if you want that entries whose parent is "ou=People" can only
use "uid" as the naming attribute, you can add a rule like [*]

access to dn="ou=People" attrs=children
    by users =w

access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry
    by users =w

p.

[*] this set of rules is far from complete, so please don't just use it as
is and complain because nothing works.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------