[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Recursive groups?
I've seen a few notes about group membership being specified recursively in
the archives (about a year ago). Someone evidently submitted a patch, but it
was never added to the production line?
I'm interested in what the thinking is on this notion.
What I want to do is essentially define groups such as:
cn=canReadSocialSecurity,ou=groups
member:cn=BigBossPresident
member:cn=canReadEverything,ou=groups
cn=canReadHomePhone,ou=groups
member:cn=telecom-tech
member:cn=canReadEverything,ou=groups
member:cn=canReadMostStuff,ou=groups
cn=canReadEverything,ou=groups
member: cn=joeshmoe
cn=canReadMostStuff,ou=groups
member: cn=janeshmoe
In this case (obviously) the goal is to rationalize ACL definitions: One ACL
per protected attribute, and the engine can traverse the groups. But the
applications are myriad. Here's just a teense.
cn=isInChemistryClass
member: cn=isInChemistryClass1
member: cn=isInChemistryClass2
cn=isInChemistryClass1
member: cn=isInChemistrySection101
member: cn=isInChemistrySection102
cn=isInChemistryClass2
member: cn=isInChemistrySection201
member: cn=isInChemistrySection202
----
cn=SalesDepartment
member: cn=Electronic Sales
member: cn=Direct Marketing
member: cn=Park Muggers
[...]
There's all kinds of set math which could be done once, intelligently, in the
server, and which would save many people implmenting it badly, repeatedly, in
their applications.
- Allen S. Rout