Buchan Milne wrote:
On Wednesday 26 November 2008 08:54:18 Mansour Al Akeel wrote:
Buchan Milne wrote:
On Wednesday 26 November 2008 06:07:28 Mansour Al Akeel wrote:
Hello all, I an new to LDAP, and I have a need to migrate the existing system to ldap as this will ease a bit the management for the new system implementation. I need to authenticate users for a web site, and for the internal system ( linux, windows stations .... etc). Now the available account objectclass is structural
Sou you shouldn't use it, but intead the hostObject auxiliary objectclass provided in the ldapns.schema file shipped with pam_ldap.
[...]
This is in fact not only specific to this senario. I couldn't find any docs about how to prevent objectClass domain to be added under group !
There are two interpretations of this statement, please be more clear about this matter.
Ok, let's say I have an entery MyBusiness with objectClass Organization. I don't want any entry of type account to be added under this Organization. The only thing I want to add is OrganizationalUnit under MyBusiness. How do I specify this ? As I can see, any object type can be cascaded in any object (directory entry). I need to tell LDAP through the schema (or any other way) not to allow Person or account to be a direct child of Organization. I hope this example makes things clear.
This is not schema design, but DIT structure rules, which OpenLDAP doesn't support (http://www.openldap.org/faq/data/cache/649.html). You could implement some of these aspects via ACLs though.
Buchan, thank you. This is the magical word "dit structure rules". That's what I wanted for google. Now, I am left with one problem. I couldn't find an example, about this. I can see how to write ACL rules for user access but not to restrict the DIT structure.
I am reading now http://www.openldap.org/doc/admin24/access-control.html. In the mean while, if you have any example, it will be big help, or a link to a tutorial.
Regards, Buchan