jspωiki
DIT Content Rule

Overview #

DIT Content Rule is a Subschema element that specifies which AUXILIARY object classes are allowed to be used with an entry, as well as which attribute types are required, allowed, and prohibited for use with an entry, based on its STRUCTURAL object class.

And of course, different LDAP Server Implementations implement the rules to various degrees.

The components of a DIT Content Rule Description include:

  • The numeric OID of the structural object class with which the DIT content rule is associated.
  • An optional set of names for the DIT Content Rule.
  • An optional set of AUXILIARY object class] names or OIDs for the auxiliary classes that are allowed to be used with entries containing the associated structural class.
  • An optional set of attributeType names or OIDs for attribute types that are required to be present in entries with the associated structural class. These attributes will be required even if they are not allowed by any of the object classes in the entry.
  • An optional set of attribute type names or OIDs for attribute types that may optionally be present in entries with the associated structural class. These attributes will be allowed even if they are not allowed by any of the object classes in the entry.
  • An optional set of attribute type names or OIDs for attribute types that are prohibited to be present in entries with the associated structural class. These attributes will be prohibited even if they are allowed by any of the object classes in the entry.

The set of DIT content rules defined in the server may be determined by retrieving the dITContentRules attribute of the SubschemaSubentry. For more information about DIT content rules, see the Understanding DIT Content Rules document.

DIT Content Rule LDAP specifications[1]#

None of the major LDAP specifications include any DIT Content Rule definitions. However, the following is an example of a DIT Content Rule definition that augments the inetOrgPerson structural class to allow only the strongAuthenticationUser auxiliary class, that requires the uid attribute (in addition to the cn and sn attributes already required by inetOrgPerson), that also allows the c attribute (which specifies the user’s country and would not otherwise be allowed by the entry’s object classes), and that prohibits the use of the telexNumber and telexTerminalIdentifier attributes:
( 2.16.840.1.113730.3.2.2 
NAME 'inetOrgPerson-content-rule' 
AUX strongAuthenticationUser 
MUST uid 
MAY c 
NOT ( telexNumber $ telexTerminalIdentifier ) )
Note that according to RFC 4512 section 2.4.3, a fully standards-compliant directory server will NOT allow an entry to include any AUXILIARY object classes if there is no DIT Content Rule associated with that entry’s structural class. While some LDAP Server Implementations use a more relaxed constraint and allow any auxiliary class to be used in conjunction with an entry that is not governed by any DIT content rule, if you intend to use auxiliary object classes then it is RECOMMENDED that you also define the appropriate DIT Content Rule(s) to allow their use.

More Information #

There might be more information for this subject on one of the following: