[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: "Roles" in OpenLDAP?

To: <nvoutsin@noc.uoa.gr>
Subject: RE: "Roles" in OpenLDAP?
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 27 Mar 2004 12:32:46 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <4065AF9F.6050002@noc.uoa.gr>

> -----Original Message-----
> From: nvoutsin@noc.uoa.gr [mailto:nvoutsin@noc.uoa.gr]

> > Dynamic groups are always supported for ACLs in OpenLDAP
> > 2.2. The only thing
> > the dynamic group overlay (--with-dyngroup option) does is
> > allow using
> > LDAPCompare to test the membership of a dynamic group. If
> > all you need is ACL
> > support you don't need this option.
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
>
> Motivated by your answer about Dynamic Groups, Roles or whatever, I
> would like to ask something that might end a slight misunderstanding
> about the usage of dynamic groups and the provided
> functionality. A lot
> of people think that may take advantage of OpenLdap dynamic
> groups and
> use them through various services in order to provide the
> dynamic groups
> functionality inside those services. (e.g. in radius server:
> users that
> belongs to the undergraduate dynamic group, to postgraduate dynamic
> group or faculty dynamic groups etc etc).

I have no idea what external applications try to do with groups, dynamic or
otherwise. As I posted above, OpenLDAP 2.2 supports the use of dynamic groups
in slapd ACLs. That's all.

In particular, retrieving a dynamic group entry via LDAP Search will only
return the URI attributes that define the group, it will not expand the URIs
and return the list of members in the group.

>If I am
>not the one who misunderstand the current dynamic group implementation,
>the previous solution will lead to noticeably, ldap server, performance
>degradation, since ldap server should examine the membership of all
>defined dynamic groups no matter which service is asking for.

That is not how things work. Of course, if you specify a large number of
complicated ACL rules, that may slow down performance. Nothing new there.

Notice that dynamic groups are defined based on some attribute of a user's
entry. If your application is aware that dynamic groups are being used, then
it need only retrieve the user's entry to determine all of the groups that
contain the user. If you want to test if user X is a member of group Y, you
should configure the dynamic group overlay in slapd, and your applications
should use LDAPCompare.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: "Roles" in OpenLDAP?
  - From: Nikos Voutsinas <nvoutsin@noc.uoa.gr>

References:
- Re: "Roles" in OpenLDAP?
  - From: Nikos Voutsinas <nvoutsin@noc.uoa.gr>

Prev by Date: Re: "Roles" in OpenLDAP?
Next by Date: Re: replication and NAT
Index(es):
- Chronological
- Thread