groups of groups search ?

[Gerrit Thomson <334647@swin.edu.au>]

Hi Folks,
    I have been throwing around some ideas in my head,
lots of room,
about Role based access controls.
     I have been using them for many of the services I
manage eg.
apache, linux.

A access control problem has arrisen recently with
regards to using the
groups in access control lists.
I am thinking of implementing access control information
for a service
with four groups:
        allowed_users,
        dissallowed_users,
        allowed_groups,
        dissallowed_groups.

Obviously these would be group / groupofuniquenames (
serve dependant )
and the *_users groups are easy to as a simple
memebership check. The
problem arrises in the *_groups processing.

Possible proceess implemenations might be.
A: find all groups a person is a memeber of, for each
group check
membership of *_groups.
            This could involve a lot of searches.

B: find all the groups a person is a memebr of, for each
group compare
the dn with the list of DN's in the target *_group.

C: for each group in the *_group member list, check
membership of user.

None of these are part of the current openldap process.
So I am looking
at interpreting the acl structures in another system

I thought of the implications of defining a new
objectclass of
groupofgroups and perhaps implementing one of the above
in the ldap
server code.

Is there a provision for special processing of the values
of a
particular attribute as an api hook. For instance the
comparison
operations for special types such as DNs, telephone
numbers.

Is this part of LDAPv3 ??

I know that netscape ES provides for groups as members
of groups but I
feel that their approach could be overwelming on the
resources point of
view. I think they check the objectclass of each member
of the group to
see if there are any groups to check as well.

Doing this kind of check on small groups is ok but when
the group get to
10K to 50K members it is not feesable to do.

Cheers,
    Gerrit Thomson.