PingDirectory

Managing DIT content rules

Directory information tree (DIT) content rules provide a way to precisely define what attributes might be present in an entry based on its structural object class without specifically creating a new object class definition.

The DIT content rules can define the following:

  • Mandatory and optional attributes that entries contain

  • The set of auxiliary object classes that entries can be part of

  • Any optional attributes from the structural and auxiliary object classes that are prohibited from being present in the entries

DIT content rule definitions

DIT content rules can be specified with existing schema components and don’t require additional code for implementation.

On the PingDirectory server, only one DIT content rule can be defined for an entry in the structural object class.

The following formal specification for attribute types is provided in RFC 4512, section 4.1.6.

DITContentRuleDescription = "(" wsp
numericoid                  ; Object identifier of the structural object class the rule applies to
[ sp "NAME" sp qdescrs ]    ; Short name descriptor
[ sp "DESC" sp qdstring ]   ; Description
[ sp "OBSOLETE" ]           ; Specifies if the rule is inactive
[ sp "AUX" sp oids ]        ; List of allowed auxiliary object classes
[ sp "MUST" sp oids ]       ; List of required attributes
[ sp "MAY" sp oids ]        ; List of allowed attributes in the entry
[ sp "NOT" sp oids ]        ; List of prohibited attributes in the entry
extensions wsp ")"          ; Extensions followed by a white space and ")"

The following extensions are specific to the PingDirectory server and aren’t defined in RFC 4512.

extensions = /
"X-ORIGIN" /             ; Specifies where the attribute type is defined
"X-SCHEMA-FILE" /        ; Specifies which schema file contains the definition
"X-READ-ONLY"            ; True or False. Specifies if the file that contains
                         ;   the schema element is marked as read-only in
                         ;   the server configuration.

Viewing DIT content rules

Steps

  • To view the dITContentRules attribute, run ldapsearch.

    dITContentRules is a multi-valued operational attribute that publishes the definitions on the PingDirectory server, if any. The attribute is stored in the subschema subentry.

    Example:

    $ bin/ldapsearch --baseDN cn=schema --searchScope base \
      "(objectclass=*)" dITContentRules