[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for DIT structure rules
On Fri, Dec 12, 2008 at 11:57:37AM +0100, Michael Ströder wrote:
> > I should also point out that while the rules above do force every
> > new entry to have objectClass=inetOrgPerson they do not prevent other
> > auxiliary objectclasses from being added to the entry.
>
> Limiting the AUXILIARY object classes could be covered by DIT content
> rules which are supported by OpenLDAP.
Good point. I suspect these are not used much as people are not aware
of the possibilities.
> Well, not exactly, since DIT
> content rules apply to the whole DIT of a single slapd instance since
> OpenLDAP does not have the capability of defining separate subschema
> subentries for subtrees (leaving proxy configurations aside).
True, but there are still cases where a global content rule could be
useful. Some care may be needed to avoid confusing schema-aware user
interfaces though...
> Andrew, I think this would be a nice recipe for the FAQ-O-MATIC. Do you
> have some spare time to add an article in section "Access Control"?
> (see http://www.openldap.org/faq/data/cache/189.html)
As it happens, I am working on a paper on ACL design so I may well be
able to generate a suitable FAQ entry along the way.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------