[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Recursive groups?
The ACL facility already supports recursive groups for access control,
specified using Sets.
http://www.openldap.org/faq/data/cache/452.html
The Set facility isn't well documented; all the documentation that exists is
in the above FAQ article. Feel free to work with it and add anything you
learn.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of asr@ufl.edu
> I've seen a few notes about group membership being specified
> recursively in
> the archives (about a year ago). Someone evidently submitted
> a patch, but it
> was never added to the production line?
>
> I'm interested in what the thinking is on this notion.
>
> What I want to do is essentially define groups such as:
>
>
> cn=canReadSocialSecurity,ou=groups
> member:cn=BigBossPresident
> member:cn=canReadEverything,ou=groups
>
> cn=canReadHomePhone,ou=groups
> member:cn=telecom-tech
> member:cn=canReadEverything,ou=groups
> member:cn=canReadMostStuff,ou=groups
>
> cn=canReadEverything,ou=groups
> member: cn=joeshmoe
>
> cn=canReadMostStuff,ou=groups
> member: cn=janeshmoe
>
>
> In this case (obviously) the goal is to rationalize ACL
> definitions: One ACL
> per protected attribute, and the engine can traverse the
> groups. But the
> applications are myriad. Here's just a teense.
>
>
> cn=isInChemistryClass
> member: cn=isInChemistryClass1
> member: cn=isInChemistryClass2
>
> cn=isInChemistryClass1
> member: cn=isInChemistrySection101
> member: cn=isInChemistrySection102
>
> cn=isInChemistryClass2
> member: cn=isInChemistrySection201
> member: cn=isInChemistrySection202
>
> ----
>
> cn=SalesDepartment
> member: cn=Electronic Sales
> member: cn=Direct Marketing
> member: cn=Park Muggers
>
> [...]
>
>
>
> There's all kinds of set math which could be done once,
> intelligently, in the
> server, and which would save many people implmenting it
> badly, repeatedly, in
> their applications.
>
> - Allen S. Rout
>
>