Overview #DIT Content Rule is a Subschema element that specifies which AUXILIARY object classes are allowed to be used with an entry, as well as which attribute types are required, allowed, and prohibited for use with an entry, based on its STRUCTURAL object class.
And of course, different LDAP Server Implementations implement the rules to various degrees.
The components of a DIT Content Rule Description include:
- The numeric OID of the structural object class with which the DIT content rule is associated.
- An optional set of names for the DIT Content Rule.
- An optional set of AUXILIARY object class] names or OIDs for the auxiliary classes that are allowed to be used with entries containing the associated structural class.
- An optional set of attributeType names or OIDs for attribute types that are required to be present in entries with the associated structural class. These attributes will be required even if they are not allowed by any of the object classes in the entry.
- An optional set of attribute type names or OIDs for attribute types that may optionally be present in entries with the associated structural class. These attributes will be allowed even if they are not allowed by any of the object classes in the entry.
- An optional set of attribute type names or OIDs for attribute types that are prohibited to be present in entries with the associated structural class. These attributes will be prohibited even if they are allowed by any of the object classes in the entry.
The set of DIT content rules defined in the server may be determined by retrieving the dITContentRules attribute of the SubschemaSubentry. For more information about DIT content rules, see the Understanding DIT Content Rules document.
DIT Content Rule LDAP specifications#None of the major LDAP specifications include any DIT Content Rule definitions. However, the following is an example of a DIT Content Rule definition that augments the inetOrgPerson structural class to allow only the strongAuthenticationUser auxiliary class, that requires the uid attribute (in addition to the cn and sn attributes already required by inetOrgPerson), that also allows the c attribute (which specifies the user’s country and would not otherwise be allowed by the entry’s object classes), and that prohibits the use of the telexNumber and telexTerminalIdentifier attributes:
( 2.16.840.1.113718.104.22.168 NAME 'inetOrgPerson-content-rule' AUX strongAuthenticationUser MUST uid MAY c NOT ( telexNumber $ telexTerminalIdentifier ) )
More Information #There might be more information for this subject on one of the following:
- Best Practices for LDAP Security
- Collective Attribute
- Glossary Of LDAP And Directory Terminology
- LDAP Schema Element Type
- Modify Request
- Schema Checking
- Structural ObjectClass
- Thinking of LDAP