[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Nested group (was: groupOfEntries object class proposal)

To: simo <idra@samba.org>
Subject: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Wed, 19 Sep 2007 18:32:57 +0100
Cc: ldapext@ietf.org
Content-disposition: inline
In-reply-to: <1190220132.31971.147.camel@localhost.localdomain>
References: <46F060CD.20008@eb2bcom.com> <46F063BE.5020900@padl.com> <20070917143336.GA7266@tile.skills-1st.co.uk> <46EF07BD.1010801@padl.com> <20070918110511.GF23300@tile.skills-1st.co.uk> <46F060CD.20008@eb2bcom.com> <20070919104644.GE12296@tile.skills-1st.co.uk> <1190210820.31971.105.camel@localhost.localdomain> <20070919152141.GH12296@tile.skills-1st.co.uk> <1190220132.31971.147.camel@localhost.localdomain>
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, Sep 19, 2007 at 12:42:12PM -0400, simo wrote:

> The algorithm complexity is the same, although, it is true, a client may
> require more operations.
> 
> Actually I think this problem would be better solved by a control to ask
> the server to do the calculations for us (and IIRC there is a control
> like that in the AD implementation called ASQ or something like that)
> and use a cache, so we have both an efficient way to do it and avoid the
> artificial distinction.

Server support would certainly be valuable in many cases and a control
sounds like a good way to ask for it. However, I think that is
orthogonal to the question of whether there should be two attributes.

Consider the case of a group giving access to some resource. As the
owner of the resource I have control of the group, so I can give user
X access to it by putting the DN of X's entry into the group as a
member. I might also control another group called Q whose members
should have access to the resource so I add that too. So far so good,
but if there is no distinction between leaf members and nested groups
*in the group entry itself* it would be possible for user X to give
access to my resource to other people by adding member attributes to
his own entry. As the resource owner I would not want that to be
possible. This alone seems like a good reason not to allow nesting via
the 'member' attribute.

> > > Also it is more consistent, what if I have an Entry object listed as
> > > emmebr in another that lately is added a groupOfEntries objectclass to?
> > > Should the server go around all other groupOfEntries objects in search
> > > for members to be changed to nestedGroupObject ?
> > 
> > I am not sure that I understand your point there. Remember that
> > groupOfEntries is a STRUCTURAL class, so it cannot be added to an
> > existing entry or removed from one.
> 
> AHHH Right, that was the other thing in the back of my mind that kept
> bogging me, but I forgot to post about it.
> 
> STRUCTURAL classes are often annoying and I think they should be used
> only when the object is meant to be incompatible with other ones and/or
> embed a unique new concept that should make it naturally incompatible
> with other objectClasses.
> 
> What is the reasoning for it being STRUCTURAL here?

I also avoid structural classes where possible. In this case it seems
reasonable though. A group is a fairly basic concept and if it did not
have a structural class of it own then group objects would have to be
based on something else. The closest I can think of is
organizationalUnit, but that is not really a good model for the common
uses of groups to control authorisation.

A further reason for it being structural is that groupOfNames is
structural. If groupOfEntries is to replace it then this should not
change.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group expansion control
  - From: Howard Chu <hyc@highlandsun.com>

References:
- Re: [ldapext] groupOfEntries object class proposal
  - From: Steven Legg <steven.legg@eb2bcom.com>
- Re: [ldapext] groupOfEntries object class proposal
  - From: Luke Howard <lukeh@padl.com>
- [ldapext] groupOfEntries object class proposal
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] groupOfEntries object class proposal
  - From: Luke Howard <lukeh@padl.com>
- Re: [ldapext] groupOfEntries object class proposal
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>

Prev by Date: RE: [ldapext] Nested group (was: groupOfEntries object class proposal)
Next by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Index(es):
- Chronological
- Thread