[Date Prev][Date Next]
Re: restricting attributes to become RDN , which objects are created
Pierangelo Masarati wrote:
Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy.
Restricting the form of a RDN by means of ACL is the only way an
administrator can enforce well-behaved entry creation by those users.
More generally, just for data consistency (as opposed to authorization
concerns) this is what X.500 DIT Structure Rules and Nameforms are for.
Neither of these are currently supported in OpenLDAP, although there are plans
to implement them in the future.
For example, if you want that entries whose parent is "ou=People" can only
use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children
by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry
by users =w
[*] this set of rules is far from complete, so please don't just use it as
is and complain because nothing works.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/