[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recursive Groups

To: "Mark R. Diggory" <mdiggory@latte.harvard.edu>
Subject: Re: Recursive Groups
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Fri, 26 Oct 2001 11:39:31 +0200
Cc: openldap-software@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <00ad01c15dfb$8d7257a0$6401a8c0@euphoria>

"Mark R. Diggory" wrote:
> 
> I've been working hard on developing an ACL based on many of the examples
> provided in the mail archives and faq for OpenLDAP. I wondering if anyone
> has attempted an acl that would recursively check group memberships for
> authentication/authorization.
> 
> What I'd like to do is:
> 
> dn: cn=group2,o=blaa
> member: cn=group1,o=blaa
> ...
> 
> dn: cn=group1,o=blaa
> member: uid=joe_user,o=blaa
> ...
> 
> dn: uid=joe_user,o=blaa
> ...
> 
> and have joe_user be authenticated as if a member of both group1 and group2.
> 
> Does anyone know if this is possible?

I don't think so; it could be done by adding a "recursive" flag 
to the group membership ACL, which could cause group membership
check (backend_group ) being called repeatedly. Loop detecting
might be an issue, and it would surely be a nightmare for 
performances if badly configured (think of a group with thousand 
members that must be recursively checked ).

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati

Follow-Ups:
- Re: Recursive Groups
  - From: "Mark R. Diggory" <mdiggory@latte.harvard.edu>

References:
- Recursive Groups
  - From: "Mark R. Diggory" <m.diggory@verizon.net>

Prev by Date: Re: Schema question
Next by Date: Sendmail + LDAP
Index(es):
- Chronological
- Thread