[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
On Wed, Sep 19, 2007 at 03:32:34PM -0400, simo wrote:
> Sorry but I see a fault here as well.
> Once you add, as a member, a user controlled by a foreign entity your
> security is already screwed if you don't trust that entity.
> If you trust it then you trust they will not try to use their power to
> exploit your system.
True, but the separation of attributes can limit how much of my
resource a malicious admin can give away.
Howard's suggestion of a limit on the 'expand groups' control leads to
another idea: split the nestedGroup attribute into two again:
nestedGroupOfEntries
The group entry that we point to can only contain
leaf-nodes
nestedRecursiveGroup
The group entry that we point to may contain further
nested groups as well as leaf-nodes.
That would give a structural way to limit the nesting of groups.
The expansion algorithm is now slightly larger, but not exactly
complex.
> That said, this example makes much more sense.
Thanks. The discussion is certainly helping me to clarify some ideas.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext