Re: OpenLDAP support for DIT Structure Rules

[Michael Ströder <michael@stroeder.com>]

Andrew Findlay wrote:
> On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:
> 
>> An FSN is intended to be superior to its FSLs in a DIT. I was 
>> considering including DIT Structure Rules in the draft as a way to 
>> enforce this arrangement. However, I'm not inclined to do this if 
>> popular LDAP implementations, such as OpenLDAP, don't support them.
>>
>> If there is a standard, well supported mechanisms for enforcing DIT 
>> structure, I'd be interested to know about it.
> 
> Standard - yes. Well supported - no.
> DIT Structure Rules along with DIT Content Rules are the "standard"
> way to do this, but hardly anyone implements them.

This is somewhat true. There are various server implementations but
AFAIK only one open source client. ;-)

I've tested support in web2ldap for DIT structure rules and name forms
with three different commercial servers and one open source
implementations. I still have to sort out some issues with determining
the governing structure rule at the client side (in case the DSA does
not return operational attribute 'governingStructureRule').

> OpenLDAP can do it, using a combination of ACLs and DIT Content
> Rules. 

While this is a solution for enforcing DIT structure rules at
server-side a client cannot determine the rules and guide the user to do
the right thing.

Ciao, Michael.