Buchan Milne wrote:
On Wednesday 26 November 2008 08:54:18 Mansour Al Akeel wrote:
> Buchan Milne wrote:
>> On Wednesday 26 November 2008 06:07:28 Mansour Al Akeel wrote:
>>> Hello all,
>>> I an new to LDAP, and I have a need to migrate the existing system to
>>> ldap as this will ease a bit the management for the new system
>>> implementation. I need to authenticate users for a web site, and for the
>>> internal system ( linux, windows stations .... etc). Now the available
>>> account objectclass is structural
>> Sou you shouldn't use it, but intead the hostObject auxiliary objectclass
>> provided in the ldapns.schema file shipped with pam_ldap.
>>> This is in fact not only specific to this senario. I couldn't
>>> find any docs about how to prevent objectClass domain to be added under
>>> group !
>> There are two interpretations of this statement, please be more clear
>> about this matter.
> Ok, let's say I have an entery MyBusiness with objectClass Organization.
> I don't want any entry of type account to be added under this
> Organization. The only thing I want to add is OrganizationalUnit under
> MyBusiness. How do I specify this ? As I can see, any object type can be
> cascaded in any object (directory entry). I need to tell LDAP through
> the schema (or any other way) not to allow Person or account to be a
> direct child of Organization. I hope this example makes things clear.
This is not schema design, but DIT structure rules, which OpenLDAP doesn't
). You could implement
some of these aspects via ACLs though.
Buchan, thank you. This is the magical word "dit structure rules".
That's what I wanted for google. Now, I am left with one problem. I
couldn't find an example, about this. I can see how to write ACL rules
for user access but not to restrict the DIT structure.
I am reading now
. In the mean
while, if you have any example, it will be big help, or a link to a