[Fedora-directory-users] newbie question - roles AND groups?

Thu Jun 19 16:41:58 UTC 2008

Edward Capriolo wrote:
>  If you take a look at openldap it has dyamic 'overlays' .
> http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists.
>
> The main jist of it is that an LDAP Query can be saved in an object.
> This is similar in my mind to an SQL View.
>
> So nss_ldap would referece a dynamic_overlay like object and that
> would re-search for the actual content to be returned to the user
> Having the object work in this read-only sense would make it less
> complicated then
> http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit
> the need nicely.
>   
The overlay approach is less complicated, but it doesn't appear to deal 
with nested groups.

The complexity of the memberOf plug-in is due to this support for nested 
groups.  The approach of having to do multiple searches to resolve a 
user's nested memberships every time you just want to find out what 
groups you belong to would have a negative performance impact for reads 
over generating the memberOf attribute values when an actual membership 
modification is made.  The assumption is that membership checks occur 
more often than membership changes, so performing all of the work up 
front when the modify takes place is best.
> It would me more generic then memberOf and I can see a lot of uses for
> it. Maybe another such plug in exists that I am not aware of.
>   
The plans for the memberOf plug-in is to make it more generic.  The 
current code in CVS allows the attributes it acts on to be 
configurable.  Other changes would need to be made to the plug-in allow 
it to truly be a general purpose linked attribute plug-in.  In 
particular, the ability to turn off the nesting capability, configure 
multiple linked attributes, and define which suffix(es) to operate on 
would be very useful.
>
> 2008/6/19 Richard Megginson <rmeggins at redhat.com>:
>   
>> Grzegorz Marszałek wrote:
>>     
>>> Hello!
>>>
>>> I'm newbie to Fedora Directory, but is has two significant features - acl
>>> and nested roles.
>>>
>>> But I could find a way to use roles as groups. That is - I'd like to
>>> define role, and then use this to define posix group, which I can use via
>>> nss_ldap on my servers. At first glance it seems that dynamic groups will do
>>> what I want - I just defined filter to include all users with particular
>>> role in group. But unfortunately dynamic groups aren't resolved by server,
>>> you need client aplication to do that :(
>>>
>>>
>>> So the question is: is there any way to do this without writing my own
>>> slapi plugin?
>>>       
>> No, not currently.  But several other users have expressed an interest in a
>> feature like this.  There is another new feature related to this concept
>> that is currently in Fedora DS and being improved for the next version -
>> http://directory.fedoraproject.org/wiki/MemberOf_Plugin
>>
>> Would you be able to create a wiki page to explain your requirements for
>> such a feature?  That would be a very good place to start designing this
>> feature.
>>     
>>> Thanks!
>>> ---
>>> Grzegorz Marszałek
>>> graf0 at post.pl
>>>
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>       
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3254 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080619/08e6d6b7/attachment.bin>