[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for DIT structure rules

Andrew Findlay wrote:
> I should also point out that while the rules above do force every
> new entry to have objectClass=inetOrgPerson they do not prevent other
> auxiliary objectclasses from being added to the entry.

Limiting the AUXILIARY object classes could be covered by DIT content
rules which are supported by OpenLDAP. Well, not exactly, since DIT
content rules apply to the whole DIT of a single slapd instance since
OpenLDAP does not have the capability of defining separate subschema
subentries for subtrees (leaving proxy configurations aside).

Andrew, I think this would be a nice recipe for the FAQ-O-MATIC. Do you
have some spare time to add an article in section "Access Control"?
(see http://www.openldap.org/faq/data/cache/189.html)

Ciao, Michael.