Harishkumar Pathangay wrote:
Hi,How to say not to use a particular objectClass for a dn. For example,harish@openSUSE:~> ldapsearch -x -b 'dc=my-domain,dc=com' '(objectclass=*)' # extended LDIF## LDAPv3# base <dc=my-domain,dc=com> with scope subtree# filter: (objectclass=*)# requesting: ALL# # my-domain.comdn: dc=my-domain,dc=comobjectClass: dcObjectobjectClass: organizationdc: my-domaino: Example Corporation # Manager, my-domain.comdn: cn=Manager,dc=my-domain,dc=comobjectClass: organizationalRolecn: Managerdescription: Directory Manager # search resultsearch: 2result: 0 Success Here, we see that dn: dc=my-domain,dc=com uses objectClass: organizationI want to say not to use objectClass: organization. How to do this?
You probably want to have DIT structure rules which are (unfortunately) not implemented by OpenLDAP yet.
It's possible to work-around this with ACLs: http://www.openldap.org/faq/data/cache/1474.html
A schema-aware client cannot detect the custom ACLs though.
Ciao, Michael.