[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Dynamic Groups



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tod Thomas

> Well, I haven't read through Jeff's reference in its entirety so the
> answer may
> be contained therein.  What I got from google before I posted this
> request is
> that you essentially use attributes to define the various 'groupings'
> and then
> use a search filter contained in an LDAP URL to find all entries that
> have that
> attribute thereby deriving the contents of the 'group'.   Since the
> attribute
> is local to the individual entry, and potentially it was valued and is
> maintained by an automated process, the addition or removal of that
> entry's
> 'group' attribute seems to provide its dynamic status.

This definition would imply that Dynamic Groups are a concept that only
clients care about, since presumably a client must issue a search on the LDAP
URL that defines the group. Since it is an ordinary search request, then I
would suppose that any LDAP server will support this.

If, on the other hand, the idea is to define this LDAP URL and have the
server process it when evaluating ACLs, then definitely OpenLDAP does not do
this currently. Nor does it make sense to do so in a server context.

> So my question now morphs into many.  Do I understand dynamic groupings
> correctly?

Seems OK to me.

> If so is the concept a standard, a proposed standard, or a
> proprietary idea implemented by a few vendors?

It is a use case, it's simply one way of leveraging the Search operation,
nothing more.

> Won't LDAP eventually run into
> a hard limitation, or a performance limitation, using attribute based
> 'dynamic
> groups' as I described above due to the large number of
> attributes that
> could
> potentially end up in a single entry?

No more so than if you defined a large number of static groups with lots of
entry DNs in their member attributes.

> The direction I'm heading in here is the
> possibility of using dynamic groups as a form of role based access
> control.

For arbitary applications using LDAP, sure, no problem. For slapd itself,
it's not  appropriate. You still must control write access to the attributes
that constitute a dynamic group, and this privilege cannot come from a
dynamic group otherwise you have no security.

Assuming you had a dynamic group such as
	ldap:///dc=foo,dc=org??sub?(memberOf=role1)

one should note that the search result is a list of entries that presumably
have a specific privilege. When slapd is evaluating ACLs, it doesn't care
about the whole list of entries, it just needs to know if the current user's
entry meets the criteria. As such, evaluating the above URL would be
extremely wasteful. This group would be matched using ACL set syntax:
	access to <whatever> by set=user/memberOf & [role1]

Note that for the LDAP URL search, the resulting list of entries must include
the DN of the user in question. For the ACL set, the resulting set doesn't
need to yield a particular DN, it just needs to be non-empty.

> Quanah Gibson-Mount wrote:
>
> > --On Wednesday, May 28, 2003 10:24 AM -0700 Jeff Costlow
> <j.costlow@f5.com>
> > wrote:
> >
> > > I don't know what iPlanet is doing, but this document has
> some good
> > > stuff in it.
> > >
http://middleware.internet2.edu/dir/groups/draft-internet2-mace-dir-grou
> > ps-best-practices-01.html
>
> Interestingly enough, I wrote a note to OpenLDAP-software just a few days
> ago myself asking if it is possible to use dynamic groups in OpenLDAP-2.1.
> I've gotten 0 responses saying anything either way.  I'm not convinced you
> can't, but I'm not convinced you can, either.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support