[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restricting attributes to become RDN , which objects are created

Pierangelo Masarati wrote:
Why do you let users create their own objects?

Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an
administrator can enforce well-behaved entry creation by those users.

More generally, just for data consistency (as opposed to authorization concerns) this is what X.500 DIT Structure Rules and Nameforms are for. Neither of these are currently supported in OpenLDAP, although there are plans to implement them in the future.

For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]

access to dn="ou=People" attrs=children
    by users =w

access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry
    by users =w


[*] this set of rules is far from complete, so please don't just use it as
is and complain because nothing works.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/