[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "Roles" in OpenLDAP?





Peter Marschall wrote:
Hi,

On Sunday 28 March 2004 20:36, Nikos Voutsinas wrote:

The point  here is: does openldap support *server-side dynamic roles* ?
Not groups but roles! If not, then is there any other method, that may
take advantage of openldap dynamic groups, in order to simplify the
procedure I described in the previous paragraph?

The issue I raised in my initial mail is that even if openldap provides
(or will provide) an operational attribute that is going to be used as
server-side dynamic role, this attribute should not be used by any
external application unless there is a way to define more than one
service specific, server-side dynamic role, (radius-role,
yourapplication-role etc etc), where each xxx-role is related with a
specific set of filters.

Anyway, I suspect that openldap dynamic groups are not what the
community describes as server-side dynamic roles. If that is the case,
most probably it was my mistake to initiate this thread



Maybe we did not get exactly what the notion "server-side dynamic roles" means to you exactly. Escpecially what differentiates them from server-side dynamic groups.

In my understanding a role is a group + rights bound to that group.
LDAP directories are usually used to store the "group part" of roles
while the associations between groups and the rights are done in the applications themselves.
E.g. consider Apache: while it can use various modules to read group memberships from (SQL, LDAP, ...) the assiciation between the
rights to a specific page and the entitled users/groups is done in httpd.conf



Hi Peter,

The main difference between roles and groups is that roles are stored -or better- retrieved directly from user's object.

The roles related attribute could be a static attribute inside the user's object. In this case, the role attribute is manually-managed by the administrator or the application. Alternatively, it could be an operational attribute that is dynamically filled on the fly by the ldap server, based on some filters. The roles computation in this case is repeated each time the role attribute of the specific user is requested. Roles are better in the case of "In what groups the user x is member of". Groups are better in the case of "Who are the members of that group".

Let me note that this isn't an openldap issue, it has to do on how internet services could get advantage by storing users profiles on ldap, in order to provide different CoS (permissions, quota, views) in the most effective manner.

PS: I totally agree that the association between groups/roles and rights is a client task. Roles or groups values are meaningless to ldap server. What i said is that a single *role* *attribute* , can be used, for example, by the ACL validation procedure (which can be viewed as an internal to ldap, service), but cannot be used by more than one external services. Hmm, I suppose that I had to wrote in my previous mail ".....unless there is a way to define more than one service specific, server-side dynamic role *attribute*" instead of ".....unless there is a way to define more than one service specific, server-side dynamic role".

Nikos Voutsinas