[Freeipa-devel] xml-rpc functions

Pete Rowley prowley at redhat.com
Wed Aug 1 22:41:26 UTC 2007 

Simo Sorce wrote:
> On Wed, 2007-08-01 at 14:54 -0400, Rob Crittenden wrote:
>   
>> I think it would be helpful to identify all the major functions that the 
>> xml-rpc protocol will support.
>>
>> Off the top of my head I have:
>>
>> - add user
>> - retrieve user by uid
>> - modify user
>> - search for a user
>> - retrieve all users (could be a "*" of search for a user)
>> - remove user (deactivate)
>>
>> - get list of groups
>>     
>
> can we remove this and instead implement group search, which can also do
> a search for *
I'm working on a memberof plugin, so I suggest we work with groups like 
this:

enumerate users in a group: search (memberof=group dn)
enumerate user group membership: retrieve entry memberof attribute
test group membership: ldap compare group dn on memberof attribute
add user to group: retrieve group, make sure it is a groupofuniquenames, 
add entry dn to uniquemeber attribute
delete user from group: like above
Group based access control: aci on cn=people,

aci: (targetattr="whatever")(targetfilter="(memberOf=cn=group Z,cn=groups,dc=example,dc=com
)")(version 3.0; acl "Example group X can do Y to the members of group Z"; allow (permissions) 
groupdn="ldap:///cn=group X,cn=groups,dc=example,dc=com";)

we /could/ instead do this with the bind rule:

aci: (targetattr="whatever")(targetfilter="(memberOf=cn=group Z,cn=groups,dc=example,dc=com
)")(version 3.0; acl "Example group X can do Y to the members of group Z"; allow (permissions) 
userdn="ldap:///dc=realm,dc=com??sub?(memberOf=cn=group X,cn=groups,dc=example,dc=com

)";)


This allows us the flexibility to support whatever memberof says is a 
group in access control e.g. roles, dynamic groups, what have you.

Doing group operations using memberof means we never have to retrieve 
those monster membership lists so things should scale a little better in 
the UI.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070801/464daae3/attachment.bin>

More information about the Freeipa-devel mailing list