[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3849) support for posixGroup use in ACLs



On Jul 8, 2005, at 10:17 AM, Kurt D. Zeilenga wrote:

> I think addition of this feature would lead to confusion as
> the implemented semantics are not actually consistent with
> those specified for posixGroup.   First, there is no requirement
> to name accounts using the uid attribute or that it be the
> only naming attribute.  The code assumes its the one and only
> naming attribute for accounts.  Second, an account can belong to
> a posixGroup without its uid value being listed as a memberUid
> of the posixGroup.  That is, an account can be member due to
> having the same gidNumber value as the posixGroup.
>
> I also dislike that this patch opens all member attributes
> to those of IA5 string syntax.  Few attributes of IA5 string
> syntax are used to identify group members (or like semantics).
>
> I also note that ACL sets can be used today to provide more
> complete posix group semantics.
>
> However, my main concern is that this extension is specific
> to a particular user application (POSIX information services)
> and, hence, not generally useful.  Hence, I do not believe this
> new feature should be incorporated into OpenLDAP Software.
>

Fair enough.

I guess we'll just keep that as a modification in the Mac OS X  
version of OpenLDAP for now then.

We have a need to allow a posixGroup to be used by OpenLDAP and right  
now the administrative tools don't populate DNs but rather  
shortnames. Maybe this is something that could be implemented through  
a plug-in which kept a list of uniqueMember values in sync with the  
list of memberUid values? Alternately, is there any way to extend the  
ACL system through plug-ins?

-Jason