[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: User classes
A few more thoughts.
Classes could also be defined via sasl-regexp.
sasl-regexp <search pattern> <replacement pattern> [<class>]
This would allow things like:
sasl-regex
uid=(.*),cn=myrealm,cn=gssapi,cn=auth
uid=$1,ou=People,dc=example,dc=com
sasl-regex (.*) $1 alien
Also, I note that the session-level ACL cache can be
eliminated once this is implemented... allowing the
administrator to have group membership determined
once per bind or once per operation.
At 05:41 PM 4/14/2003, Kurt D. Zeilenga wrote:
>It might interesting to implement some sort of user classification
>system. Right now, the only way to classify users before apply
>access controls is by playing naming games with sasl-regexp.
>
>It would be nice to be able to define classes of users:
> # user has a person entry associated with it
> userClass person filter="(objectClass=person)"
>
> # user is active
> userClass active userClass=person filter="(active=TRUE)"
>
> # user is local
> userClass local userClass=person
> dn.children="ou=people,dc=example,dc=com"
>
>(basically all ACL <who> factors could be used in defining
>a userClass.)
>
>These could be computed after all other bind functions
>(authentication, identity mapping, proxy authorization)
>and stored in the connection structure for access (and
>other) administrative controls. E.g.,
>
> by userClass=local read
>
>Anyways, this is just food for thought as I don't have the
>time to code something like this.
>
>Kurt