Managing DIT content rules
Directory information tree (DIT) content rules provide a way to precisely define what attributes might be present in an entry based on its structural object class without specifically creating a new object class definition.
The DIT content rules can define the following:
-
Mandatory and optional attributes that entries contain
-
The set of auxiliary object classes that entries can be part of
-
Any optional attributes from the structural and auxiliary object classes that are prohibited from being present in the entries
DIT content rule definitions
DIT content rules can be specified with existing schema components and don’t require additional code for implementation.
On the PingDirectory server, only one DIT content rule can be defined for an entry in the structural object class.
The following formal specification for attribute types is provided in RFC 4512, section 4.1.6.
DITContentRuleDescription = "(" wsp numericoid ; Object identifier of the structural object class the rule applies to [ sp "NAME" sp qdescrs ] ; Short name descriptor [ sp "DESC" sp qdstring ] ; Description [ sp "OBSOLETE" ] ; Specifies if the rule is inactive [ sp "AUX" sp oids ] ; List of allowed auxiliary object classes [ sp "MUST" sp oids ] ; List of required attributes [ sp "MAY" sp oids ] ; List of allowed attributes in the entry [ sp "NOT" sp oids ] ; List of prohibited attributes in the entry extensions wsp ")" ; Extensions followed by a white space and ")"
The following extensions are specific to the PingDirectory server and aren’t defined in RFC 4512.
extensions = / "X-ORIGIN" / ; Specifies where the attribute type is defined "X-SCHEMA-FILE" / ; Specifies which schema file contains the definition "X-READ-ONLY" ; True or False. Specifies if the file that contains ; the schema element is marked as read-only in ; the server configuration.
Viewing DIT content rules
Steps
-
To view the
dITContentRules
attribute, runldapsearch
.dITContentRules
is a multi-valued operational attribute that publishes the definitions on the PingDirectory server, if any. The attribute is stored in the subschema subentry.Example:
$ bin/ldapsearch --baseDN cn=schema --searchScope base \ "(objectclass=*)" dITContentRules