[Freeipa-devel] xml-rpc functions
Pete Rowley
prowley at redhat.com
Wed Aug 1 22:41:26 UTC 2007
Simo Sorce wrote:
> On Wed, 2007-08-01 at 14:54 -0400, Rob Crittenden wrote:
>
>> I think it would be helpful to identify all the major functions that the
>> xml-rpc protocol will support.
>>
>> Off the top of my head I have:
>>
>> - add user
>> - retrieve user by uid
>> - modify user
>> - search for a user
>> - retrieve all users (could be a "*" of search for a user)
>> - remove user (deactivate)
>>
>> - get list of groups
>>
>
> can we remove this and instead implement group search, which can also do
> a search for *
I'm working on a memberof plugin, so I suggest we work with groups like
this:
enumerate users in a group: search (memberof=group dn)
enumerate user group membership: retrieve entry memberof attribute
test group membership: ldap compare group dn on memberof attribute
add user to group: retrieve group, make sure it is a groupofuniquenames,
add entry dn to uniquemeber attribute
delete user from group: like above
Group based access control: aci on cn=people,
aci: (targetattr="whatever")(targetfilter="(memberOf=cn=group Z,cn=groups,dc=example,dc=com
)")(version 3.0; acl "Example group X can do Y to the members of group Z"; allow (permissions)
groupdn="ldap:///cn=group X,cn=groups,dc=example,dc=com";)
we /could/ instead do this with the bind rule:
aci: (targetattr="whatever")(targetfilter="(memberOf=cn=group Z,cn=groups,dc=example,dc=com
)")(version 3.0; acl "Example group X can do Y to the members of group Z"; allow (permissions)
userdn="ldap:///dc=realm,dc=com??sub?(memberOf=cn=group X,cn=groups,dc=example,dc=com
)";)
This allows us the flexibility to support whatever memberof says is a
group in access control e.g. roles, dynamic groups, what have you.
Doing group operations using memberof means we never have to retrieve
those monster membership lists so things should scale a little better in
the UI.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070801/464daae3/attachment.bin>
More information about the Freeipa-devel
mailing list