[Fedora-directory-users] newbie question - roles AND groups?

Thu Jun 19 17:20:09 UTC 2008

That would be great for netgroups, that would solve one of the big
drawbacks of netgroups in LDAP, being able to quickly query and see
who has access to what system. Otherwise you need the client
application to figure it out.

2008/6/19 Nathan Kinder <nkinder at redhat.com>:
> Edward Capriolo wrote:
>>
>>  If you take a look at openldap it has dyamic 'overlays' .
>> http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists.
>>
>> The main jist of it is that an LDAP Query can be saved in an object.
>> This is similar in my mind to an SQL View.
>>
>> So nss_ldap would referece a dynamic_overlay like object and that
>> would re-search for the actual content to be returned to the user
>> Having the object work in this read-only sense would make it less
>> complicated then
>> http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit
>> the need nicely.
>>
>
> The overlay approach is less complicated, but it doesn't appear to deal with
> nested groups.
>
> The complexity of the memberOf plug-in is due to this support for nested
> groups.  The approach of having to do multiple searches to resolve a user's
> nested memberships every time you just want to find out what groups you
> belong to would have a negative performance impact for reads over generating
> the memberOf attribute values when an actual membership modification is
> made.  The assumption is that membership checks occur more often than
> membership changes, so performing all of the work up front when the modify
> takes place is best.
>>
>> It would me more generic then memberOf and I can see a lot of uses for
>> it. Maybe another such plug in exists that I am not aware of.
>>
>
> The plans for the memberOf plug-in is to make it more generic.  The current
> code in CVS allows the attributes it acts on to be configurable.  Other
> changes would need to be made to the plug-in allow it to truly be a general
> purpose linked attribute plug-in.  In particular, the ability to turn off
> the nesting capability, configure multiple linked attributes, and define
> which suffix(es) to operate on would be very useful.
>>
>> 2008/6/19 Richard Megginson <rmeggins at redhat.com>:
>>
>>>
>>> Grzegorz Marszałek wrote:
>>>
>>>>
>>>> Hello!
>>>>
>>>> I'm newbie to Fedora Directory, but is has two significant features -
>>>> acl
>>>> and nested roles.
>>>>
>>>> But I could find a way to use roles as groups. That is - I'd like to
>>>> define role, and then use this to define posix group, which I can use
>>>> via
>>>> nss_ldap on my servers. At first glance it seems that dynamic groups
>>>> will do
>>>> what I want - I just defined filter to include all users with particular
>>>> role in group. But unfortunately dynamic groups aren't resolved by
>>>> server,
>>>> you need client aplication to do that :(
>>>>
>>>>
>>>> So the question is: is there any way to do this without writing my own
>>>> slapi plugin?
>>>>
>>>
>>> No, not currently.  But several other users have expressed an interest in
>>> a
>>> feature like this.  There is another new feature related to this concept
>>> that is currently in Fedora DS and being improved for the next version -
>>> http://directory.fedoraproject.org/wiki/MemberOf_Plugin
>>>
>>> Would you be able to create a wiki page to explain your requirements for
>>> such a feature?  That would be a very good place to start designing this
>>> feature.
>>>
>>>>
>>>> Thanks!
>>>> ---
>>>> Grzegorz Marszałek
>>>> graf0 at post.pl
>>>>
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>