[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP support for DIT Structure Rules



On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:

> An FSN is intended to be superior to its FSLs in a DIT. I was 
> considering including DIT Structure Rules in the draft as a way to 
> enforce this arrangement. However, I'm not inclined to do this if 
> popular LDAP implementations, such as OpenLDAP, don't support them.
> 
> If there is a standard, well supported mechanisms for enforcing DIT 
> structure, I'd be interested to know about it.

Standard - yes. Well supported - no. DIT Structure Rules along with
DIT Content Rules are the "standard" way to do this, but hardly anyone
implements them.

In fact very few LDAP servers can do what you describe by any means at
all. OpenLDAP can do it, using a combination of ACLs and DIT Content
Rules. Some of the other server products will partially enforce it
using ACLs, but there are ways to subvert that.

See section 10.2 of my paper on Access Control for some examples:

	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------