[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recursive ACL entries (group member of group)

To: Jan Thiemo Fricke <fanatikneo@gmx.de>
Subject: Re: Recursive ACL entries (group member of group)
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Mon, 16 Nov 2009 10:32:57 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <000001ca6513$615a91f0$240fb5d0$@de>
References: <000001ca6513$615a91f0$240fb5d0$@de>
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.5) Gecko/20091112 Shredder/3.0pre

On 14/11/2009 11:15, Jan Thiemo Fricke wrote:

Hi list members,

I use a openldap server for the user management of an proprietary
client/server application.

Users are modified person class objects.

Groups are groupOfName objects.

Rights are also groupOfNames.

* *

Users are members of groups and groups are members of rights.

To exemplify my problem:

User: cn=example,ou=users,dc=mydomain

Group: cn=supervisors,ou=groups,dc=mydomain

Right: cn=someRight,ou=rights,dc=mydomain

For instance someRight should give all members of supervisors the right
to modify other users.

At the moment the ACL is related to the group.

Access to dn.sub=”ou=users,dc=mydomain”

By group.exact=”cn=supervisor,ou=groups,dc=mydomain” write

By self read

To use the rights I’d need an ACL with a group of group.

Access to dn.sub=”ou=users,dc=mydomain”

By group.exact=”cn=someRight,ou=rights,dc=mydomain” write

Should allow all members of all groups that are member of someRight to
modify users.

Is this possible or is groupOfNames the wrong class to represent group
rights?

Hi,

This can be acheived using ACL sets. There is in fact an example ofexactly this use case in the admin guide!

http://www.openldap.org/doc/admin24/access-control.html#Sets - Granting rights based on relationships

It is noted in the documentation that sets are experimental. Just to adda word onto that, I use sets in several production environments, andhave absolutely no stability problems.

However, depending on the sets you use, the performance hit can beimportant (sets can fire off thousands of search requests just toevaluate one ACL, if they're badly written). Also, ACLs with sets arenot cached.


Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

Follow-Ups:
- Re: Recursive ACL entries (group member of group)
  - From: Jan Fricke <fanatikneo@gmx.de>

References:
- Recursive ACL entries (group member of group)
  - From: "Jan Thiemo Fricke" <fanatikneo@gmx.de>

Prev by Date: For openldap suggestion
Next by Date: Re: Recursive ACL entries (group member of group)
Index(es):
- Chronological
- Thread