Hi list, could someone point me to some resources, in particular usage examples, about DIT content rules?
Thanks in advance Marco
On Thu, Apr 28, 2011 at 6:54 AM, Marco Pizzoli marco.pizzoli@gmail.com wrote:
Hi list, could someone point me to some resources, in particular usage examples, about DIT content rules?
The first rule is that there are no rules ;-) there are like 2 major patterns so to speak: the X500 organizational distribution and the DNS-inspired way. You can (in fact you should) mix-match your DIT structure with both if you want and adapt to your own needs. The is no one right way to do it.
Many people under-use LDAP. For us LDAP is used for slow-mutating hierarchical information that needs to be centralized, hence the term "directory" is precisely what you should use LDAP for. The data _should_ be organized in complex hierarchical form and not in the stupid People, Computers, etc. hierarchy imposed by stupid pseudo-LDAP technologies such as MS AD, and sorry to say that Samba follows the same mistakes. LDAP is for _a lot_ more that just a flat structure of People and Computers, it is designed to be hierarchically complex, reflecting the true nature of your organization. In the end, this will just translate to LDAP queries which you can easily simplify by working with attributes in the correct way, so no worries about how complex the DIT is.
With complex hierarchies you can then even take all your user tables OUT of the SQLs and do some interesting querying and integration with your SQL stuff via the lesser known operational attribute called entryUUID (defined in RFC4530). Yeap, that's right there _is in fact_ a logical primary key in LDAP.
I did some pretty interesting work in Venezuela last year through our partner company Corcaribe Tecnología C.A. and wrote a paper that explains all this in detail... BUT the doc is in Spanish. I am attaching the PDF here in case it's of any use to you and/or anyone would care to translate and post a how-to or on a Wiki somewhere. I have the original OpenOffice doc and the drawing in Inkscape SVG if anyone would like to derive some more formal work,
Best,
-- Alejandro Imass
Thanks in advance Marco
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
On Thu, Apr 28, 2011 at 1:27 PM, Alejandro Imass aimass@yabarana.com wrote:
On Thu, Apr 28, 2011 at 6:54 AM, Marco Pizzoli marco.pizzoli@gmail.com wrote:
Hi list, could someone point me to some resources, in particular usage examples, about DIT content rules?
The first rule is that there are no rules ;-) there are like 2 major patterns so to speak: the X500 organizational distribution and the DNS-inspired way. You can (in fact you should) mix-match your DIT structure with both if you want and adapt to your own needs. The is no one right way to do it.
Many people under-use LDAP. For us LDAP is used for slow-mutating hierarchical information that needs to be centralized, hence the term "directory" is precisely what you should use LDAP for. The data _should_ be organized in complex hierarchical form and not in the stupid People, Computers, etc. hierarchy imposed by stupid pseudo-LDAP technologies such as MS AD, and sorry to say that Samba follows the same mistakes. LDAP is for _a lot_ more that just a flat structure of People and Computers, it is designed to be hierarchically complex, reflecting the true nature of your organization. In the end, this will just translate to LDAP queries which you can easily simplify by working with attributes in the correct way, so no worries about how complex the DIT is.
With complex hierarchies you can then even take all your user tables OUT of the SQLs and do some interesting querying and integration with your SQL stuff via the lesser known operational attribute called entryUUID (defined in RFC4530). Yeap, that's right there _is in fact_ a logical primary key in LDAP.
I did some pretty interesting work in Venezuela last year through our partner company Corcaribe Tecnología C.A. and wrote a paper that explains all this in detail... BUT the doc is in Spanish. I am attaching the PDF here in case it's of any use to you and/or anyone would care to translate and post a how-to or on a Wiki somewhere. I have the original OpenOffice doc and the drawing in Inkscape SVG if anyone would like to derive some more formal work,
Best,
-- Alejandro Imass
Hi Alejandro, thanks for your answer.
I hadn't talked about "DIT Structure Rules", but "DIT Content Rule". In particular I was referring to the usage of the "ditcontentrule" directive in slapd.conf.
Thanks again Marco
On Thu, Apr 28, 2011 at 7:41 AM, Marco Pizzoli marco.pizzoli@gmail.com wrote:
On Thu, Apr 28, 2011 at 1:27 PM, Alejandro Imass aimass@yabarana.com wrote:
On Thu, Apr 28, 2011 at 6:54 AM, Marco Pizzoli marco.pizzoli@gmail.com wrote:
Hi list, could someone point me to some resources, in particular usage examples, about DIT content rules?
ooops, hadn't had coffee yet, sorry ;-)
On Thu, Apr 28, 2011 at 12:54:45PM +0200, Marco Pizzoli wrote:
could someone point me to some resources, in particular usage examples, about DIT content rules?
There are a couple of simple DIT Content Rules in section 10.2.4 of my paper on LDAP ACLs:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
In that example I am using the rules to prevent the addition of auxiliary object classes to entries of specific types. That in turn limits the attribute types that can be added.
Andrew
Marco Pizzoli wrote:
could someone point me to some resources, in particular usage examples, about DIT content rules?
Example:
dITContentRule ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson-dcr' NOT ( x121Address ) AUX ( msPerson $ musician $ germanBankArrangement $ posixAccount $ sambaSamAccount $ vPIMUser $ inetLocalMailRecipient $ shadowAccount $ simpleSecurityObject $ pwdPolicy $ msPwdResetObject $ eduPerson $ schacPersonalCharacteristics ) )
Note that the OID is the OID of the accompanying structural object class.
What exactly do you want to do? You should read RFC 4512 for the details.
My web2ldap obeys DIT content rules and therefore I'm usually limiting the usable attributes in object classes with NOT to reduce the number of unneeded input fields. You can also use web2ldap's schema browser to dig into the schema of a server.
Ciao, Michael.
2011/4/28 Michael Ströder michael@stroeder.com:
Marco Pizzoli wrote:
could someone point me to some resources, in particular usage examples, about DIT content rules?
Example:
dITContentRule ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson-dcr' NOT ( x121Address ) AUX ( msPerson $ musician $ germanBankArrangement $ posixAccount $ sambaSamAccount $ vPIMUser $ inetLocalMailRecipient $ shadowAccount $ simpleSecurityObject $ pwdPolicy $ msPwdResetObject $ eduPerson $ schacPersonalCharacteristics ) )
Note that the OID is the OID of the accompanying structural object class.
What exactly do you want to do? You should read RFC 4512 for the details.
My web2ldap obeys DIT content rules and therefore I'm usually limiting the usable attributes in object classes with NOT to reduce the number of unneeded input fields. You can also use web2ldap's schema browser to dig into the schema of a server.
Ciao, Michael.
Hy guys, Thank you both for the help.
Andrew: great document! Michael: thank you very much for the example. I had read the RFC but I was still searching an usage example. Your web2ldap is on my todo list.
Marco
openldap-technical@openldap.org
-
Alejandro Imass -
Andrew Findlay -
Marco Pizzoli -
Michael Ströder