[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: User classes



A few more thoughts.

Classes could also be defined via sasl-regexp.

sasl-regexp <search pattern> <replacement pattern> [<class>]

This would allow things like:
        sasl-regex
                uid=(.*),cn=myrealm,cn=gssapi,cn=auth
                uid=$1,ou=People,dc=example,dc=com

        sasl-regex (.*) $1 alien


Also, I note that the session-level ACL cache can be
eliminated once this is implemented... allowing the
administrator to have group membership determined
once per bind or once per operation.

At 05:41 PM 4/14/2003, Kurt D. Zeilenga wrote:
>It might interesting to implement some sort of user classification
>system.  Right now, the only way to classify users before apply
>access controls is by playing naming games with sasl-regexp.
>
>It would be nice to be able to define classes of users:
>        # user has a person entry associated with it
>        userClass person filter="(objectClass=person)"
>
>        # user is active
>        userClass active userClass=person filter="(active=TRUE)"
>
>        # user is local
>        userClass local userClass=person
>                dn.children="ou=people,dc=example,dc=com"
>
>(basically all ACL <who> factors could be used in defining
>a userClass.)
>
>These could be computed after all other bind functions
>(authentication, identity mapping, proxy authorization)
>and stored in the connection structure for access (and
>other) administrative controls.  E.g.,
>
>        by userClass=local read
>
>Anyways, this is just food for thought as I don't have the
>time to code something like this.
>
>Kurt