Hello all,
In objectclass, Is there a way to restrict (only) an attribute to be RDN?
For ex: only uid needs to be RDN , in organizational Unit
Thanks in advance,
Arunachalam.
**************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
Arunachalam Parthasarathy wrote:
Hello all,
In objectclass, Is there a way to restrict (only) an attribute to be RDN?
For ex: only uid needs to be RDN , in organizational Unit
Thanks in advance,
Why?
Hello Gavin,
Thanks for the reply. If this restriction is not there, any of the users can create a dn with RDN as any attribute, which leads to non-uniformity (for instance, one user may create uid as RDN and other may use userPassword as RDN for inetOrgPerson)
Thanks in advance,
Arunachalam.
**************************************************************************** ****************************
This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
-----Original Message----- From: Gavin Henry [mailto:ghenry@suretecsystems.com] Sent: Monday, October 01, 2007 4:02 AM To: arunachalamp@huawei.com Cc: openldap-software@openldap.org Subject: Re: restricting attributes to become RDN , which objects are created
Arunachalam Parthasarathy wrote:
Hello all,
In objectclass, Is there a way to restrict (only) an attribute to be RDN?
For ex: only uid needs to be RDN , in organizational Unit
Thanks in advance,
Why?
--On Monday, October 01, 2007 3:23 PM +0530 Arunachalam Parthasarathy arunachalamp@huawei.com wrote:
Hello Gavin,
Thanks for the reply. If this restriction is not there, any of the users can create a dn with RDN as any attribute, which leads to non-uniformity (for instance, one user may create uid as RDN and other may use userPassword as RDN for inetOrgPerson)
Why do you let users create their own objects?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Monday, October 01, 2007 3:23 PM +0530 Arunachalam Parthasarathy arunachalamp@huawei.com wrote:
Hello Gavin,
Thanks for the reply. If this restriction is not there, any of the users can create a dn with RDN as any attribute, which leads to non-uniformity (for instance, one user may create uid as RDN and other may use userPassword as RDN for inetOrgPerson)
Why do you let users create their own objects?
Exactly.
Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
More generally, just for data consistency (as opposed to authorization concerns) this is what X.500 DIT Structure Rules and Nameforms are for. Neither of these are currently supported in OpenLDAP, although there are plans to implement them in the future.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.
Pierangelo Masarati wrote:
Why do you let users create their own objects?
Letting authorized users create objects is a legitimate policy. Restricting the form of a RDN by means of ACL is the only way an administrator can enforce well-behaved entry creation by those users.
For example, if you want that entries whose parent is "ou=People" can only use "uid" as the naming attribute, you can add a rule like [*]
access to dn="ou=People" attrs=children by users =w
access to dn.regex="^uid=[^,]+,ou=People$" attrs=entry by users =w
p.
[*] this set of rules is far from complete, so please don't just use it as is and complain because nothing works.
Nice example. I never thought of doing it this way. One for the docs I think.
Gavin.
On Saturday 29 September 2007 14:25:45 Arunachalam Parthasarathy wrote:
Hello all,
In objectclass, Is there a way to restrict (only) an attribute to be RDN?
For ex: only uid needs to be RDN , in organizational Unit
Assuming you don't want this restriction to be applied to the rootdn (or, you don't have the rootdn enabled), then you could quite easily achieve this with ACLs.
Regards, Buchan
Hello Buchan,
Can I get an example for the ACL usage for the restriction
Thanks in advance,
Arunachalam
**************************************************************************** ****************************
This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Monday, October 01, 2007 2:39 PM To: openldap-software@openldap.org; arunachalamp@huawei.com Subject: Re: restricting attributes to become RDN , which objects are created
On Saturday 29 September 2007 14:25:45 Arunachalam Parthasarathy wrote:
Hello all,
In objectclass, Is there a way to restrict (only) an attribute to be RDN?
For ex: only uid needs to be RDN , in organizational Unit
Assuming you don't want this restriction to be applied to the rootdn (or, you
don't have the rootdn enabled), then you could quite easily achieve this with
ACLs.
Regards,
Buchan
openldap-software@openldap.org
-
Arunachalam Parthasarathy -
Buchan Milne -
Gavin Henry -
Gavin Henry -
Howard Chu -
Pierangelo Masarati -
Quanah Gibson-Mount