On Fri, Dec 12, 2008 at 11:57:37AM +0100, Michael Ströder wrote:
I should also point out that while the rules above do force every new entry to have objectClass=inetOrgPerson they do not prevent other auxiliary objectclasses from being added to the entry.
Limiting the AUXILIARY object classes could be covered by DIT content rules which are supported by OpenLDAP.
Good point. I suspect these are not used much as people are not aware of the possibilities.
Well, not exactly, since DIT content rules apply to the whole DIT of a single slapd instance since OpenLDAP does not have the capability of defining separate subschema subentries for subtrees (leaving proxy configurations aside).
True, but there are still cases where a global content rule could be useful. Some care may be needed to avoid confusing schema-aware user interfaces though...
Andrew, I think this would be a nice recipe for the FAQ-O-MATIC. Do you have some spare time to add an article in section "Access Control"? (see http://www.openldap.org/faq/data/cache/189.html)
As it happens, I am working on a paper on ACL design so I may well be able to generate a suitable FAQ entry along the way.
Andrew