RE: "Roles" in OpenLDAP?

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dieter Kluenter

> Hi,
>
> Bela Kovac <wizard@uni-paderborn.de> writes:
>
> > Hi there,
> >
> > i've been looking for some way to implement Roles into my LDAP-tree,
> > for simplified use in my ACLs. As i found, there is no problem
> > generating a static group (objectClass: groupOfNames,
> > groupOfUniqueNames) and filling it explicitely with
> members. So when i
> > add a new user into my LDAP and i want him to be in the group i have
> > to make to LDAP calls, one to insert the user and one other to add
> > this new user to the group. This way i might be running
> into problems
> > when data becomes inconsistent.
> >
> > So i looked for dynamic groups or roles, where membership
> (in a group)
> > is resolved by looking for a specific attribute (and a
> specific value)
> > in the user's entry. I found some threads regarding this
> topic, but i
> > didn't found a clear solution.
> [...]
>
> With OpenLDAP-2.2.x you may compile with the flag --with-dyngroup and
> search the docs for dynamic group overlay.

Dynamic groups are always supported for ACLs in OpenLDAP 2.2. The only thing
the dynamic group overlay (--with-dyngroup option) does is allow using
LDAPCompare to test the membership of a dynamic group. If all you need is ACL
support you don't need this option.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support