[Date Prev][Date Next] [Chronological] [Thread] [Top]

User classes

To: quanah@stanford.edu
Subject: User classes
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 14 Apr 2003 17:41:22 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <200304142238.h3EMccPh001369@boole.openldap.org>

It might interesting to implement some sort of user classification
system.  Right now, the only way to classify users before apply
access controls is by playing naming games with sasl-regexp.

It would be nice to be able to define classes of users:
	# user has a person entry associated with it
	userClass person filter="(objectClass=person)"

	# user is active
	userClass active userClass=person filter="(active=TRUE)"

	# user is local
	userClass local userClass=person
		dn.children="ou=people,dc=example,dc=com"

(basically all ACL <who> factors could be used in defining
a userClass.)

These could be computed after all other bind functions
(authentication, identity mapping, proxy authorization)
and stored in the connection structure for access (and
other) administrative controls.  E.g.,

	by userClass=local read

Anyways, this is just food for thought as I don't have the
time to code something like this.

Kurt

Follow-Ups:
- Re: User classes
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: monitor schema
Next by Date: Re: User classes
Index(es):
- Chronological
- Thread