btb@bitrate.net wrote:
On Apr 21, 2012, at 14.12, Michael Ströder wrote:
But you could at least enforce that attribute values match according to what you've subscribed above with a set-based constraint to avoid having false user input in your data.
oh, that sounds interesting. if nothing else, it would be a step in that direction. with slapo-constraint, presumably? i've only used it for basic constraints, but i'll go have another read through man 5 slapo-constraint and do some experimenting.
Yes, with slapo-constraint.
Examples (lines partially wrapped):
# cn has to be composed of givenName, space, sn constraint_attribute cn,sn,givenName set "(this/givenName + [ ] + this/sn) & this/cn" restrict="ldap:///ou=People,dc=domain??sub?(objectClass=person)"
# homeDirectory has to be composed like /home/uid constraint_attribute uid,homeDirectory set "([/home/] + this/uid) & this/homeDirectory" restrict="ldap:///ou=People,dc=domain??sub?(objectClass=posixAccount)"
Another option would be to add some external custom code with slapo-sock where an external process listens on a Unix domain socket.
For auto-generating values you could customize your LDAP administration UI. Which one are you using?
for day to day management tasks, apache directory studio.
Doesn't it have a plugin API?
I've implemented something like this in my web2ldap with a custom attribute plugin class which suggests an input value based on different input. Not much work but one extra click needed though because up to now web2ldap does not have a post-process plugin API for the whole entry.
Ciao, Michael.