[Date Prev][Date Next]
Re: Recursive Groups
"Mark R. Diggory" wrote:
> I've been working hard on developing an ACL based on many of the examples
> provided in the mail archives and faq for OpenLDAP. I wondering if anyone
> has attempted an acl that would recursively check group memberships for
> What I'd like to do is:
> dn: cn=group2,o=blaa
> member: cn=group1,o=blaa
> dn: cn=group1,o=blaa
> member: uid=joe_user,o=blaa
> dn: uid=joe_user,o=blaa
> and have joe_user be authenticated as if a member of both group1 and group2.
> Does anyone know if this is possible?
I don't think so; it could be done by adding a "recursive" flag
to the group membership ACL, which could cause group membership
check (backend_group ) being called repeatedly. Loop detecting
might be an issue, and it would surely be a nightmare for
performances if badly configured (think of a group with thousand
members that must be recursively checked ).
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:email@example.com
via La Masa 34, 20156 Milano, Italy |