Andrew Findlay wrote:
I should also point out that while the rules above do force every new entry to have objectClass=inetOrgPerson they do not prevent other auxiliary objectclasses from being added to the entry.
Limiting the AUXILIARY object classes could be covered by DIT content rules which are supported by OpenLDAP. Well, not exactly, since DIT content rules apply to the whole DIT of a single slapd instance since OpenLDAP does not have the capability of defining separate subschema subentries for subtrees (leaving proxy configurations aside).
Andrew, I think this would be a nice recipe for the FAQ-O-MATIC. Do you have some spare time to add an article in section "Access Control"? (see http://www.openldap.org/faq/data/cache/189.html)
Ciao, Michael.