Pierangelo Masarati wrote:
Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
More generally, just for data consistency (as opposed to authorization concerns) this is what X.500 DIT Structure Rules and Nameforms are for. Neither of these are currently supported in OpenLDAP, although there are plans to implement them in the future.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.