Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
Eventual I'd like to have a constraint like this:
# check whether appropriate password policy is assigned constraint_attribute structuralObjectClass,pwdPolicySubentry set "this/structuralObjectClass & this/pwdPolicySubentry/aeApplicableSOC"
Not possible without custom code.
Hmm, are this/structuralObjectClass and this/pwdPolicySubentry generally unusable in set-constraints?
Or does it not work because of the different matching rules?
Yes, because of the matching rule issue.
This seems to be a deficiency in either ASN.1 or the LDAP spec, I'm not sure which. The problem is that numeric OIDs are obviously unique, but there's no guarantee that string names are. Moreover, the same name might apply to the OID of an attribute, or an objectclass, or a syntax, or some other entity, and there's no way to tell the objectIdentifierMatch rule which context is relevant. So, we can only match on numeric OIDs.