[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
"Roles" in OpenLDAP?
Hi there,
i've been looking for some way to implement Roles into my LDAP-tree,
for simplified use in my ACLs. As i found, there is no problem
generating a static group (objectClass: groupOfNames,
groupOfUniqueNames) and filling it explicitely with members. So when i
add a new user into my LDAP and i want him to be in the group i have to
make to LDAP calls, one to insert the user and one other to add this
new user to the group. This way i might be running into problems when
data becomes inconsistent.
So i looked for dynamic groups or roles, where membership (in a group)
is resolved by looking for a specific attribute (and a specific value)
in the user's entry. I found some threads regarding this topic, but i
didn't found a clear solution.
What i found:
DYNAMIC GROUPS:
==============
(http://www.openldap.org/lists/openldap-software/200305/msg00803.html)
There you have an attribute called "memberOf" in the user's entry, and
with that you can generate a dynamic group, as explained in
http://www.openldap.org/lists/openldap-software/200305/msg00863.html
Problem is that this mechanics doesn't work with OpenLDAP, as far as i
found out.
SETS ("Roles" or "reversed groups"):
====
(http://www.openldap.org/faq/data/cache/452.html)
Sets do look good. You can write into your ACLs some lines like
access to <blah>
by set="user/someAttribute* & [someValue]" <permission>
Problem is, i want users with the corresponding someAttribute attribute
to be able to only get acces to specific entries, namely entries that
have another specific attribute. E.G.:
- Entry A -
dn: blah
faculty: SpecialGroup
...
- user B -
dn: foo
role: admin_SpecialGroup
...
So i'd like user B to be able to get access to entry A only if entry A
has this special value for the attribute faculty, like:
access to <blah>
attrs=faculty val="SpecialGroup"
by set="user/role* & [admin_SpecialGroup]" write
Problem is that as far as i understand ACLs, user B is now only able to
manipulate the attribute "faculty" (and only if it has the value
"SpecialGroup"), not more (like the entire entry or some other
attributes, like password alone).
I hope i made my point clear. If not, please let me know so i can
reformulate my question (am no native english speaker).
Am i missing something? Does anyone know how to accomplish this? I'd be
eternal grateful.
Bela
--
"Der Blitzableiter auf einem Kirchturm ist das denkbar stärkste
Misstrauensvotum gegen den lieben Gott."
-- Karl Kraus