[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP support for DIT Structure Rules

Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:

An FSN is intended to be superior to its FSLs in a DIT. I was
considering including DIT Structure Rules in the draft as a way to
enforce this arrangement. However, I'm not inclined to do this if
popular LDAP implementations, such as OpenLDAP, don't support them.

If there is a standard, well supported mechanisms for enforcing DIT
structure, I'd be interested to know about it.

Standard - yes. Well supported - no. DIT Structure Rules along with
DIT Content Rules are the "standard" way to do this, but hardly anyone
implements them.

ApacheDS and OpenDS do now; we'll probably add them in OpenLDAP 2.5. It's a bit late to add to 2.4. Up till now, hardly anyone ever needed them.

In fact very few LDAP servers can do what you describe by any means at
all. OpenLDAP can do it, using a combination of ACLs and DIT Content
Rules. Some of the other server products will partially enforce it
using ACLs, but there are ways to subvert that.

See section 10.2 of my paper on Access Control for some examples:



  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/