Re: schema design and schema restrictions

On Wednesday 26 November 2008 08:54:18 Mansour Al Akeel wrote: > Buchan Milne wrote: > >> On Wednesday 26 November 2008 06:07:28 Mansour Al Akeel wrote: >> >>> Hello all, >>> I an new to LDAP, and I have a need to migrate the existing system to >>> ldap as this will ease a bit the management for the new system >>> implementation. I need to authenticate users for a web site, and for the >>> internal system ( linux, windows stations .... etc). Now the available >>> account objectclass is structural >>> >> Sou you shouldn't use it, but intead the hostObject auxiliary objectclass >> provided in the ldapns.schema file shipped with pam_ldap. >> >> [...] >> >> >>> This is in fact not only specific to this senario. I couldn't >>> find any docs about how to prevent objectClass domain to be added under >>> group ! >>> >> There are two interpretations of this statement, please be more clear >> about this matter. >> > Ok, let's say I have an entery MyBusiness with objectClass Organization. > I don't want any entry of type account to be added under this > Organization. The only thing I want to add is OrganizationalUnit under > MyBusiness. How do I specify this ? As I can see, any object type can be > cascaded in any object (directory entry). I need to tell LDAP through > the schema (or any other way) not to allow Person or account to be a > direct child of Organization. I hope this example makes things clear. > This is not schema design, but DIT structure rules, which OpenLDAP doesn't support (http://www.openldap.org/faq/data/cache/649.html). You could implement some of these aspects via ACLs though.

Regards, Buchan