Andrew Findlay wrote:
On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them. If there is a standard, well supported mechanisms for enforcing DIT structure, I'd be interested to know about it.Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
ApacheDS and OpenDS do now; we'll probably add them in OpenLDAP 2.5. It's a bit late to add to 2.4. Up till now, hardly anyone ever needed them.
In fact very few LDAP servers can do what you describe by any means at all. OpenLDAP can do it, using a combination of ACLs and DIT Content Rules. Some of the other server products will partially enforce it using ACLs, but there are ways to subvert that. See section 10.2 of my paper on Access Control for some examples: http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/ Andrew
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/