From clause 13.1.6 of ITU-T Rec. X.501 and Section 4.1.7.1 of RFC 4512
- DIT structure rule: A rule governing the structure of the DIT by specifying a permitted superior to subordinate entry relationship. A structure rule relates a name form, and therefore a structural object class, to superior structure rules. This permits entries of the structural object class identified by the name form to exist in the DIT as subordinates to entries governed by the indicated superior structure rules.
In short, a DIT structure rule enforces the terms of its prescribed name form. To offer a simple analogy, if a name form presents a law, the DIT structure rule is the public official upholding that law.
Consider this structure rule, per the included 03-uddiv3.ldif
file:
dITStructureRules: ( 1
NAME 'uddiBusinessEntityStructureRule'
FORM uddiBusinessEntityNameForm
X-ORIGIN 'RFC 4403' )This rule employs the uddiBusinessEntityNameForm definition,
and constrains entries bearing the STRUCTURAL object class of the name form -- also
known as the namedObjectClass -- to the RDN attribute type (in this
case, uddiBusinessKey).
When a DIT structure rule is introduced to the directory schema, it will not be evaluated until an entry is added to the DIT it enforces.
DIT structure rules shall not influence preexisting entries, even if based upon now-illegal STRUCTURAL class and RDN combinations.
Once structure rules have been established, when a new entry is added to, or renamed within the DIT in violation of a structure rule, OpenDJ will return "Object class violation (65)" along with additional contextual information for debugging purposes.
![[Note]](common/images/admon/note.png) |
Note |
|---|---|
|
As of version 4.8.0, OpenDJ is currently using the result code of "Object class violation (65)" for certain name form related errors, where it should be using "Naming violation (64)". This issue will be resolved in a future release of the package to avoid introducing breaking changes. Users are advised to update any external scripts or applications which may match the incorrect result code, and take steps to allow recognition of the correct result code in parallel for maximum compatibility. |
But when a new entry is successfully added to or renamed within the DIT, a new
operational attribute type appears on the entry: governingStructureRule.
From clause 13.1.7 of ITU-T Rec. X.501:
- Governing structure rule (of an entry): With respect to a particular entry, the single DIT structure rule that applies to the entry. This rule is indicated by the governingStructureRule operational attribute.
See also Section 3.4.6 of RFC 4512.
In simplest terms, the governingStructureRule contains
the integer identifier of the DIT structure rule which governs the entry. In the
case of the above DIT structure rule, it would appear in LDAP search results as
follows:
governingStructureRule: 1
Instances of this attribute type may be used for diagnostic reasons, or by client applications designed to determine the appropriate RDN syntax to be applied for a new entry, or for an entry being renamed and/or moved, in advance of the request.
DIT structure rules can be configured in such a way that a particular rule extends from, or is subordinate to, another DIT structure rule using the SUP clause.
![[Tip]](common/images/admon/tip.png) |
Tip |
|---|---|
| A superior DIT structure rule is often referred to as a superior structure rule, per clause 13.1.9 of ITU-T Rec. X.501. |
The purpose of the SUP clause is to allow an entry with a particular RDN syntax to reside beneath one of multiple possible choices. For example:
In this example, the integer identifiers 20 and 21 indicate that the bearer of this clause will allow entries to reside as subordinates to either of the entries governed by those rules.
Also note that rules can be recursive or "self-referencing".
This manifests as an instance where a DIT structure rule possesses a SUP clause member
that matches its own integer identifier. This is a particularly useful feature because
it allows nesting of compliant entries -- for example, those bearing the organizationalUnit
STRUCTURAL class -- to exist within superior entries of like-design.
For an example of recursive rules in action, see the ouStructure
rule (21) in the next section.
