Overlay for applying business logic filters to LDAP modifies/deletes

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Subject: Overlay for applying business logic filters to LDAP modifies/deletes

From: "Bannister, Mark" <Mark.Bannister@morganstanley.com>

Date: Wed, 24 Jun 2015 22:27:58 +0000

Accept-language: en-GB, en-US

Content-language: en-US

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=morganstanley.com; s=p20130710; t=1435184881; x=1436394481; bh=QMTZl6gNgsNroDM++i5To1/GfdVjl5syYR8uaQRT1/g=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=iPLjczF3cJSrN8bDPRVjBlZL/G2WhuGxxQFthKKokajlCisFiAJJ6CwLQCct0zDXa KHCRLqcjzX9MJcqZ/oRX95NEjGWbyKACljlUNno9IfbhGsUcE62joJ3JiI+8hSXy13 NXFwDNwfEq9KK7Rr1ymwgq8+j89ylg1ivb3kWEDE=

Thread-index: AdCuzQPPRgoZUYyjTqu6mp0SYk0msQ==

Thread-topic: Overlay for applying business logic filters to LDAP modifies/deletes

Hi,

I’m setting up a new OpenLDAP infrastructure on Solaris, where the directory will be critical and we need to keep a tight control on the changes made to it. The changes will come from an external feed, and as an extra safety measure to protect against software bugs that could otherwise cripple our infrastructure, we would like to put an overlay into the directory server that will make sure that the changes being made to the directory do not break some basic business rules we are defining.

The rules will be along these lines:

- Do not allow more than 10% of entries underneath a given DIT to be modified in less than a 24 hour period

- Entries underneath a given DIT must have a specified list of object classes and attributes defined

- Do not permit modrdn under a given DIT

- Attribute values match a particular defined set of REs (I can do this with the constraint overlay)

- Some critical entries cannot be modified or removed (I can do this with access control lists)

- Some attributes not used in the DN must be unique (I can do this with the unique overlay)

So I’m ok with the last three, but any suggestions for the first three? Has anyone else implemented similar overlays already?

Thanks & regards,

Mark Bannister.

NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.