[Date Prev][Date Next]
RE: Recursive groups?
The ACL facility already supports recursive groups for access control,
specified using Sets.
The Set facility isn't well documented; all the documentation that exists is
in the above FAQ article. Feel free to work with it and add anything you
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of firstname.lastname@example.org
> I've seen a few notes about group membership being specified
> recursively in
> the archives (about a year ago). Someone evidently submitted
> a patch, but it
> was never added to the production line?
> I'm interested in what the thinking is on this notion.
> What I want to do is essentially define groups such as:
> member: cn=joeshmoe
> member: cn=janeshmoe
> In this case (obviously) the goal is to rationalize ACL
> definitions: One ACL
> per protected attribute, and the engine can traverse the
> groups. But the
> applications are myriad. Here's just a teense.
> member: cn=isInChemistryClass1
> member: cn=isInChemistryClass2
> member: cn=isInChemistrySection101
> member: cn=isInChemistrySection102
> member: cn=isInChemistrySection201
> member: cn=isInChemistrySection202
> member: cn=Electronic Sales
> member: cn=Direct Marketing
> member: cn=Park Muggers
> There's all kinds of set math which could be done once,
> intelligently, in the
> server, and which would save many people implmenting it
> badly, repeatedly, in
> their applications.
> - Allen S. Rout