[Date Prev][Date Next] [Chronological] [Thread] [Top]

"Roles" in OpenLDAP?

To: openldap list <openldap-software@OpenLDAP.org>
Subject: "Roles" in OpenLDAP?
From: Bela Kovac <wizard@uni-paderborn.de>
Date: Wed, 24 Mar 2004 18:20:13 +0100

Hi there,

i've been looking for some way to implement Roles into my LDAP-tree, for simplified use in my ACLs. As i found, there is no problem generating a static group (objectClass: groupOfNames, groupOfUniqueNames) and filling it explicitely with members. So when i add a new user into my LDAP and i want him to be in the group i have to make to LDAP calls, one to insert the user and one other to add this new user to the group. This way i might be running into problems when data becomes inconsistent.

So i looked for dynamic groups or roles, where membership (in a group) is resolved by looking for a specific attribute (and a specific value) in the user's entry. I found some threads regarding this topic, but i didn't found a clear solution.

What i found:

DYNAMIC GROUPS: ============== (http://www.openldap.org/lists/openldap-software/200305/msg00803.html) There you have an attribute called "memberOf" in the user's entry, and with that you can generate a dynamic group, as explained in http://www.openldap.org/lists/openldap-software/200305/msg00863.html Problem is that this mechanics doesn't work with OpenLDAP, as far as i found out.


SETS ("Roles" or "reversed groups"):
====
(http://www.openldap.org/faq/data/cache/452.html)
Sets do look good. You can write into your ACLs some lines like

access to <blah>
	by set="user/someAttribute* & [someValue]" <permission>

Problem is, i want users with the corresponding someAttribute attribute to be able to only get acces to specific entries, namely entries that have another specific attribute. E.G.:

- Entry A -
dn: blah
faculty: SpecialGroup
...

- user B -
dn: foo
role: admin_SpecialGroup
...

So i'd like user B to be able to get access to entry A only if entry A has this special value for the attribute faculty, like:

access to <blah>
	attrs=faculty val="SpecialGroup"
	by set="user/role* & [admin_SpecialGroup]" write

Problem is that as far as i understand ACLs, user B is now only able to manipulate the attribute "faculty" (and only if it has the value "SpecialGroup"), not more (like the entire entry or some other attributes, like password alone).

I hope i made my point clear. If not, please let me know so i can reformulate my question (am no native english speaker). Am i missing something? Does anyone know how to accomplish this? I'd be eternal grateful.


Bela

-- "Der Blitzableiter auf einem Kirchturm ist das denkbar stärkste Misstrauensvotum gegen den lieben Gott." -- Karl Kraus

Follow-Ups:
- Re: "Roles" in OpenLDAP?
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: How to confirm --enable-local
Next by Date: Re: Make Test Error: master and slave databases differ
Index(es):
- Chronological
- Thread