Re: reverse membership and permissions

[Gavin Henry <ghenry@suretecsystems.com>]

Jason Dusek wrote:
>   I'm curious about the intended permissions model for reverse
>   group membership:
>
>     http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance
>
>   Consider the case where a user should only have write access to
>   their own attributes and a friends groups to which they can add
>   their friends. The reverse group membership overlay is used to
>   propogate `memberOf` of attributes to all the users that they
>   add to their group of friends. We do it this way because
>   'denormalizations' of this kind are helpful for query
>   efficiency.
>
>   For this application, it seems right for the overlay to
>   propogate changes that a user does not have permission to
>   execute themselves -- we don't have to let a user know who
>   anybody else's friends are, for example; nor can they change
>   that attribute.
>
>   If this can be added, it'd be great. If it's already possible,
>   I'd appreciate it if it were part of the documentation.

It's possible and already documented in the man page (man slapo-memberof):

memberof-dn <dn>
     The value <dn> contains the DN that is used as modifiersName fo r 
internal modifications performed to update the reverse group membership. 
 It defaults to the rootdn of the underlying database.

--
Kind Regards,

Gavin Henry.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.