Overview#A DIT structure rule is a LDAP Schema element that may be used to define the hierarchical relationships between entries.
In particular, DIT Structure Rule defines the kinds of parent entries, based on their STRUCTURAL ObjectClass, that an entry with a given structural class is allowed to have.
Discussion of Viability#Some LDAP Server Implementations with support for DIT structure rules store the number of the governing structure rule in the operationalAttribute governingStructureRule. The implementation of the operational attribute governingStructureRule for schema-aware LDAP client when trying to determine which structural object classes are allowed in a certain part of the DIT when letting the user add a new entry.
When the operationalAttribute governingStructureRule is not available the client has to determine the governing structure rule itself which in worst case (more complex DIT structure rules) can involve reading the whole parent entry chain (until an subschema administrative point). Clearly this is not good for performance and error-prone.
Hence it would appear to be better utilize what is stored in governingStructureRule if implemented.
Components of a DIT Structure Rule#The components of a DIT structure rule definition include:
- An integer rule ID value that is used to uniquely identify the rule.
- An optional set of names for the DIT structure rule.
- The name or OID of the name form with which the DIT structure rule is associated. The name form in turn links the DIT structure rule to a structural object class.
- An optional set of superior rule IDs. If a set of superior rules is defined, then they are used to define the structural classes below which the structural class associated with the rule's name form is allowed to exist.
The set of DIT structure rules defined in the server may be determined by retrieving the dITStructureRules attribute of the SubschemaSubentry. For more information about DIT structure rules, see the Understanding DIT Structure Rules document.
More Information#There might be more information for this subject on one of the following:
- Best Practices for LDAP Security
- Glossary Of LDAP And Directory Terminology
- LDAP Result Codes
- LDAP Schema Element Type
- Name Form
- Schema Checking
- Structural ObjectClass
- Thinking of LDAP
- Understanding DIT Structure Rules