[Date Prev][Date Next] [Chronological] [Thread] [Top]

"Roles" in OpenLDAP?

Hi there,

i've been looking for some way to implement Roles into my LDAP-tree, for simplified use in my ACLs. As i found, there is no problem generating a static group (objectClass: groupOfNames, groupOfUniqueNames) and filling it explicitely with members. So when i add a new user into my LDAP and i want him to be in the group i have to make to LDAP calls, one to insert the user and one other to add this new user to the group. This way i might be running into problems when data becomes inconsistent.

So i looked for dynamic groups or roles, where membership (in a group) is resolved by looking for a specific attribute (and a specific value) in the user's entry. I found some threads regarding this topic, but i didn't found a clear solution.

What i found:

There you have an attribute called "memberOf" in the user's entry, and with that you can generate a dynamic group, as explained in http://www.openldap.org/lists/openldap-software/200305/msg00863.html
Problem is that this mechanics doesn't work with OpenLDAP, as far as i found out.

SETS ("Roles" or "reversed groups"): ==== (http://www.openldap.org/faq/data/cache/452.html) Sets do look good. You can write into your ACLs some lines like

access to <blah>
	by set="user/someAttribute* & [someValue]" <permission>

Problem is, i want users with the corresponding someAttribute attribute to be able to only get acces to specific entries, namely entries that have another specific attribute. E.G.:

- Entry A -
dn: blah
faculty: SpecialGroup

- user B -
dn: foo
role: admin_SpecialGroup

So i'd like user B to be able to get access to entry A only if entry A has this special value for the attribute faculty, like:

access to <blah>
	attrs=faculty val="SpecialGroup"
	by set="user/role* & [admin_SpecialGroup]" write

Problem is that as far as i understand ACLs, user B is now only able to manipulate the attribute "faculty" (and only if it has the value "SpecialGroup"), not more (like the entire entry or some other attributes, like password alone).

I hope i made my point clear. If not, please let me know so i can reformulate my question (am no native english speaker).
Am i missing something? Does anyone know how to accomplish this? I'd be eternal grateful.


"Der Blitzableiter auf einem Kirchturm ist das denkbar stärkste Misstrauensvotum gegen den lieben Gott."
-- Karl Kraus