[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: groups of groups search ?

To: "Gerrit Thomson" <334647@swin.edu.au>, <openldap-general@OpenLDAP.org>
Subject: Re: groups of groups search ?
From: "Mark Wilcox" <mark@mjwilcox.com>
Date: Fri, 6 Aug 1999 22:42:58 -0500

The problems with the size of groups is why Netscape implemented dynamic
groups, which are essentially LDAP URLs & entries are considered a member of
the group if they match the filter component of the LDAP URL.
For example the search filter of the URL (sorry I've been up for a long time
& can't seem to recall exact LDAP URL syntax ;) is sn=Wilcox

You get the filter component of the URL.
You get the uid and password from the user
You retrieve the entry including the values of the attribute of the URL
filter (e.g. sn).
Check to see if a value in the returned entry matches the search term. If so
proceed to the authentication check, else fail
Then perform the bind to see if the password is correct (by performing bind
last that's one less network connection needed if the user doesn't meet the
group requirement).

A dyamic group could easily support millions of entries with a properly
configured LDAP server.

Mark

-----Original Message-----
From: Gerrit Thomson <334647@swin.edu.au>
To: openldap-general@OpenLDAP.org <openldap-general@OpenLDAP.org>
Date: Thursday, August 05, 1999 6:45 PM
Subject: groups of groups search ?


>Hi Folks,
>    I have been throwing around some ideas in my head,
>lots of room,
>about Role based access controls.
>     I have been using them for many of the services I
>manage eg.
>apache, linux.
>
>A access control problem has arrisen recently with
>regards to using the
>groups in access control lists.
>I am thinking of implementing access control information
>for a service
>with four groups:
>        allowed_users,
>        dissallowed_users,
>        allowed_groups,
>        dissallowed_groups.
>
>Obviously these would be group / groupofuniquenames (
>serve dependant )
>and the *_users groups are easy to as a simple
>memebership check. The
>problem arrises in the *_groups processing.
>
>Possible proceess implemenations might be.
>A: find all groups a person is a memeber of, for each
>group check
>membership of *_groups.
>            This could involve a lot of searches.
>
>B: find all the groups a person is a memebr of, for each
>group compare
>the dn with the list of DN's in the target *_group.
>
>C: for each group in the *_group member list, check
>membership of user.
>
>None of these are part of the current openldap process.
>So I am looking
>at interpreting the acl structures in another system
>
>I thought of the implications of defining a new
>objectclass of
>groupofgroups and perhaps implementing one of the above
>in the ldap
>server code.
>
>Is there a provision for special processing of the values
>of a
>particular attribute as an api hook. For instance the
>comparison
>operations for special types such as DNs, telephone
>numbers.
>
>Is this part of LDAPv3 ??
>
>I know that netscape ES provides for groups as members
>of groups but I
>feel that their approach could be overwelming on the
>resources point of
>view. I think they check the objectclass of each member
>of the group to
>see if there are any groups to check as well.
>
>Doing this kind of check on small groups is ok but when
>the group get to
>10K to 50K members it is not feesable to do.
>
>Cheers,
>    Gerrit Thomson.
>
>
>

Prev by Date: Re: XML?
Next by Date: ldap-client-cgi.py 0.4.1
Index(es):
- Chronological
- Thread