LDAP objects can refer to other objects, using the DN of the referenced
object. For example, a policy rule can be separated from its conditions
and time periods, with those objects being referenced by the rule
object.
Each LDAP object is composed of a number of attributes. Some of
the attributes are generic LDAP attributes that apply to all LDAP
objects. Other attributes are used only for Version 1 policy definitions.
All other Version 2 and later policy attributes must begin with a
unique prefix:
ibm-
When defining complex policy rules (those with more than one condition
or action), two mutually exclusive methods can be used to associate
the conditions or actions with the rule:
- The ibm-policyConditionListDN and ibm-policyActionListDN attributes
can be omitted from the rule. In this case, the condition and action
association objects MUST be created as subordinate objects to the
policy rule, in other words, under the rule in the directory subtree.
This is known as Directory Information Tree (DIT)-containment.
- The ibm-policyConditionListDN and ibm-policyActionListDN attributes
can be specified in the rule. In this case, the condition and action
association objects SHOULD be created as subordinate objects to the
policy rule, in other words, under the rule in the directory subtree.
However, this is not a requirement, only a recommendation. The objects
can actually exist anywhere in the DIT.