Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------