Re: slapo-dynlist desgin question(s)

[Pierangelo Masarati <ando@sys-net.it>]

Quanah Gibson-Mount wrote:
> Stanford is looking at implementing groups into our LDAP servers, and in 
> particular, looking at using slapo-dynlist.  However, it does not behave 
> as I expected it to.
>
> Basically, it uses the credentials of whomever bound to determine the 
> membership list.  This means I would have to give access to a privileged 
> attribute to those who wished to use groups, which is exactly what I'm 
> trying to avoid.  What I wanted to do, was specifically control the 
> access to the group objects themselves.  If an entity has access to the 
> group object, they would then be able to see all current members of the 
> group.
>
> I believe this would mean adding functionality to slapo-dynlist to where 
> it uses the rootdn to perform the internal search instead of the 
> credentials. Would it be possible to have this sort of addition?

I'm not quite sure I understood what you mean.  Are you going to use it 
for access control?  Or do you want it to return the actual member list 
during a search?  Can you describe further, and possibly post a sample 
conf+data, or at least a sketch of what you're trying to accomplish?  As 
far as I can tell, slapo-dynlist(5) doesn't cope fine with ACLs as it is 
now...

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------