Re: ACL for DIT structure rules

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Dec 12, 2008 at 11:57:37AM +0100, Michael Ströder wrote:

> > I should also point out that while the rules above do force every
> > new entry to have objectClass=inetOrgPerson they do not prevent other
> > auxiliary objectclasses from being added to the entry.
> 
> Limiting the AUXILIARY object classes could be covered by DIT content
> rules which are supported by OpenLDAP.

Good point. I suspect these are not used much as people are not aware
of the possibilities.

> Well, not exactly, since DIT
> content rules apply to the whole DIT of a single slapd instance since
> OpenLDAP does not have the capability of defining separate subschema
> subentries for subtrees (leaving proxy configurations aside).

True, but there are still cases where a global content rule could be
useful. Some care may be needed to avoid confusing schema-aware user
interfaces though...

> Andrew, I think this would be a nice recipe for the FAQ-O-MATIC. Do you
> have some spare time to add an article in section "Access Control"?
> (see http://www.openldap.org/faq/data/cache/189.html)

As it happens, I am working on a paper on ACL design so I may well be
able to generate a suitable FAQ entry along the way.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------