[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: slapo-dynlist desgin question(s)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 12 Jan 2007 10:58:21 -0800
Cc: openldap-devel@openldap.org
Content-disposition: inline
In-reply-to: <45A664E2.8010808@sys-net.it>
References: <3A8D9F01DE3A005FA31F6791@deus-ex.stanford.edu> <45A664E2.8010808@sys-net.it>

--On Thursday, January 11, 2007 5:25 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

I'm not quite sure I understood what you mean.  Are you going to use it
for access control?  Or do you want it to return the actual member list
during a search?  Can you describe further, and possibly post a sample
conf+data, or at least a sketch of what you're trying to accomplish?  As
far as I can tell, slapo-dynlist(5) doesn't cope fine with ACLs as it is
now...


My intention is to be able to do something like:

access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu"
	by ldapadmins read
	by <somedn> compare

etc.

And yes, it is to be used for access control. The problem I have right now, is that to instantiate a dynamic group, I have to give <somedn> access to the attribute(s) being used in the filter to create the group, which is exactly what I need to avoid, due to HIPAA concerns.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slapo-dynlist desgin question(s)
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: subclass matching in be_fetch()
Next by Date: Re: slapo-dynlist desgin question(s)
Index(es):
- Chronological
- Thread