Re: schema design and schema restrictions

[Mansour Al Akeel <mansour.alakeel@gmail.com>]

Buchan Milne wrote:
> On Wednesday 26 November 2008 06:07:28 Mansour Al Akeel wrote:
>   
> > Hello all,
> > I an new to LDAP, and I have a need to migrate the existing system to
> > ldap as this will ease a bit the management for the new system
> > implementation. I need to authenticate users for a web site, and for the
> > internal system ( linux, windows stations .... etc). Now the available
> > account objectclass is structural
> >     
>
> Sou you shouldn't use it, but intead the hostObject auxiliary objectclass 
> provided in the ldapns.schema file shipped with pam_ldap.
>
> [...]
>
>   
> > This is in fact not only specific to this senario. I couldn't
> > find any docs about how to prevent objectClass domain to be added under
> > group !
> >     
>
> There are two interpretations of this statement, please be more clear about 
> this matter.
>
>   
Ok, let's say I have an entery MyBusiness with objectClass Organization. 
I don't want any entry of type account to be added under this 
Organization. The only thing I want to add is OrganizationalUnit under 
MyBusiness. How do I specify this ? As I can see, any object type can be 
cascaded in any object (directory entry). I need to tell LDAP through 
the schema (or any other way) not to allow Person or account to be a 
direct child of Organization. I hope this example makes things clear.

> Regards,
> Buchan
>