[Date Prev][Date Next]
Re: (ITS#3849) support for posixGroup use in ACLs
On Jul 8, 2005, at 10:17 AM, Kurt D. Zeilenga wrote:
> I think addition of this feature would lead to confusion as
> the implemented semantics are not actually consistent with
> those specified for posixGroup. First, there is no requirement
> to name accounts using the uid attribute or that it be the
> only naming attribute. The code assumes its the one and only
> naming attribute for accounts. Second, an account can belong to
> a posixGroup without its uid value being listed as a memberUid
> of the posixGroup. That is, an account can be member due to
> having the same gidNumber value as the posixGroup.
> I also dislike that this patch opens all member attributes
> to those of IA5 string syntax. Few attributes of IA5 string
> syntax are used to identify group members (or like semantics).
> I also note that ACL sets can be used today to provide more
> complete posix group semantics.
> However, my main concern is that this extension is specific
> to a particular user application (POSIX information services)
> and, hence, not generally useful. Hence, I do not believe this
> new feature should be incorporated into OpenLDAP Software.
I guess we'll just keep that as a modification in the Mac OS X
version of OpenLDAP for now then.
We have a need to allow a posixGroup to be used by OpenLDAP and right
now the administrative tools don't populate DNs but rather
shortnames. Maybe this is something that could be implemented through
a plug-in which kept a list of uniqueMember values in sync with the
list of memberUid values? Alternately, is there any way to extend the
ACL system through plug-ins?