Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an
administrator can enforce well-behaved entry creation by those users.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/