S 4.386 Restriction in attributes in OpenLDAP

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The slapd server can be enabled using overlays to implement restrictions without having to adapt or create schemas. These restrictions are useful to improve the quality and integrity of the directory services. The following overlays can be used:

• constraint
  
  Due to the "constraint" overlay (constraints), it is possible that values must correspond to a specific regular term. Thus, it can, for example, be forced that the "mail" attribute can only be assigned email addresses of one's own organisation.
• unique
  
  Due to the "unique" overlay (attribute uniqueness), it is possible that a selected value may only exist once in the directory tree. Thus, it can, for instance, be avoided that a personnel number is assigned two different users.
• refint
  
  The "refint" overlay (referential integrity) protects the referential integrity of reference attributes. If, for example, distinguished names (DNs) are entered as members of a group or if the DN of a superior is stored in an attribute with the employee, then the "refint" overlay changes these references when the respective DN is changed. For this purpose, "refint" performs a search when each DN is changed if the DN is entered in such attributes. The "refint" overlay implements changes in the attribute; if deleted, it removes the DN.
  
  Warning: If the overlay removes the last member of a group, the DN defined in the "refint_nothing" subdirective is integrated instead, since empty groups can violate the group schema. Here, it must be ensured that a suitable DN is defined, for example an application administrator, to guarantee that no DN with lower rights would be granted inappropriate rights by the group.

For such restrictions, it must be noted that they only apply to new or changed attributes and objects. If there are violations against the defined rules before the overlays are activated or if inappropriate records are integrated using a direct access to the database used, the overlays referred to are not effective.

Such restrictions may only be applied to user data. If, for example, the restrictions are used to specify operational attributes or if they are forced within the "slapd-config" configuration, this might result in the unexpected behaviour or even uselessness of the slapd server.

Review questions:

• Are the restrictions of OpenLDAP attributes applied only to user data and not to operational attributes?