[Date Prev][Date Next]
"Roles" in OpenLDAP?
i've been looking for some way to implement Roles into my LDAP-tree,
for simplified use in my ACLs. As i found, there is no problem
generating a static group (objectClass: groupOfNames,
groupOfUniqueNames) and filling it explicitely with members. So when i
add a new user into my LDAP and i want him to be in the group i have to
make to LDAP calls, one to insert the user and one other to add this
new user to the group. This way i might be running into problems when
data becomes inconsistent.
So i looked for dynamic groups or roles, where membership (in a group)
is resolved by looking for a specific attribute (and a specific value)
in the user's entry. I found some threads regarding this topic, but i
didn't found a clear solution.
What i found:
There you have an attribute called "memberOf" in the user's entry, and
with that you can generate a dynamic group, as explained in
Problem is that this mechanics doesn't work with OpenLDAP, as far as i
SETS ("Roles" or "reversed groups"):
Sets do look good. You can write into your ACLs some lines like
access to <blah>
by set="user/someAttribute* & [someValue]" <permission>
Problem is, i want users with the corresponding someAttribute attribute
to be able to only get acces to specific entries, namely entries that
have another specific attribute. E.G.:
- Entry A -
- user B -
So i'd like user B to be able to get access to entry A only if entry A
has this special value for the attribute faculty, like:
access to <blah>
by set="user/role* & [admin_SpecialGroup]" write
Problem is that as far as i understand ACLs, user B is now only able to
manipulate the attribute "faculty" (and only if it has the value
"SpecialGroup"), not more (like the entire entry or some other
attributes, like password alone).
I hope i made my point clear. If not, please let me know so i can
reformulate my question (am no native english speaker).
Am i missing something? Does anyone know how to accomplish this? I'd be
"Der Blitzableiter auf einem Kirchturm ist das denkbar stärkste
Misstrauensvotum gegen den lieben Gott."
-- Karl Kraus