On Tue, Jun 02, 2009 at 11:39:04AM -0400, James Lentini wrote:
An FSN is intended to be superior to its FSLs in a DIT. I was considering including DIT Structure Rules in the draft as a way to enforce this arrangement. However, I'm not inclined to do this if popular LDAP implementations, such as OpenLDAP, don't support them.
If there is a standard, well supported mechanisms for enforcing DIT structure, I'd be interested to know about it.
Standard - yes. Well supported - no. DIT Structure Rules along with DIT Content Rules are the "standard" way to do this, but hardly anyone implements them.
In fact very few LDAP servers can do what you describe by any means at all. OpenLDAP can do it, using a combination of ACLs and DIT Content Rules. Some of the other server products will partially enforce it using ACLs, but there are ways to subvert that.
See section 10.2 of my paper on Access Control for some examples:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew