[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3849) support for posixGroup use in ACLs

At 08:30 AM 7/8/2005, jtownsend@opendarwin.org wrote:
>Full_Name: Jason Townsend
>Version: 2.2.19, HEAD
>OS: 10.4.1
>URL: http://www.opendarwin.org/~jtownsend/patches/posixgroupacl/servers-slapd.patch
>Submission from: (NULL) (
>It can be useful to use a posixGroup in the RFC 2407 style from an access
>directive when running on a Unix platform that uses shortnames to determine
>group membership. For example:
>access to attr=apple-user-picture 
>  by self write
>  by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write 
>  by group/posixGroup/memberUid="cn=admin,cn=groups,dc=example,dc=com" write
>  by * read
>I've prepared a patch against HEAD which allows this to work. This was ported
>from a change against OpenLDAP 2.2.19.

I think addition of this feature would lead to confusion as
the implemented semantics are not actually consistent with
those specified for posixGroup.   First, there is no requirement
to name accounts using the uid attribute or that it be the
only naming attribute.  The code assumes its the one and only
naming attribute for accounts.  Second, an account can belong to
a posixGroup without its uid value being listed as a memberUid
of the posixGroup.  That is, an account can be member due to
having the same gidNumber value as the posixGroup. 

I also dislike that this patch opens all member attributes
to those of IA5 string syntax.  Few attributes of IA5 string
syntax are used to identify group members (or like semantics).

I also note that ACL sets can be used today to provide more
complete posix group semantics.

However, my main concern is that this extension is specific
to a particular user application (POSIX information services)
and, hence, not generally useful.  Hence, I do not believe this
new feature should be incorporated into OpenLDAP Software.