[Date Prev][Date Next] [Chronological] [Thread] [Top]

Recursive groups?



I've seen a few notes about group membership being specified recursively in
the archives (about a year ago).  Someone evidently submitted a patch, but it
was never added to the production line?

I'm interested in what the thinking is on this notion.

What I want to do is essentially define groups such as:


cn=canReadSocialSecurity,ou=groups
member:cn=BigBossPresident
member:cn=canReadEverything,ou=groups

cn=canReadHomePhone,ou=groups
member:cn=telecom-tech
member:cn=canReadEverything,ou=groups
member:cn=canReadMostStuff,ou=groups

cn=canReadEverything,ou=groups
member: cn=joeshmoe

cn=canReadMostStuff,ou=groups
member: cn=janeshmoe


In this case (obviously) the goal is to rationalize ACL definitions: One ACL
per protected attribute, and the engine can traverse the groups.  But the
applications are myriad.  Here's just a teense.


cn=isInChemistryClass
member: cn=isInChemistryClass1
member: cn=isInChemistryClass2

cn=isInChemistryClass1
member: cn=isInChemistrySection101
member: cn=isInChemistrySection102

cn=isInChemistryClass2
member: cn=isInChemistrySection201
member: cn=isInChemistrySection202

----

cn=SalesDepartment
member: cn=Electronic Sales
member: cn=Direct Marketing
member: cn=Park Muggers

[...]



There's all kinds of set math which could be done once, intelligently, in the
server, and which would save many people implmenting it badly, repeatedly, in
their applications.

- Allen S. Rout