[Date Prev][Date Next]
RE: "Roles" in OpenLDAP?
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Dieter Kluenter
> Bela Kovac <firstname.lastname@example.org> writes:
> > Hi there,
> > i've been looking for some way to implement Roles into my LDAP-tree,
> > for simplified use in my ACLs. As i found, there is no problem
> > generating a static group (objectClass: groupOfNames,
> > groupOfUniqueNames) and filling it explicitely with
> members. So when i
> > add a new user into my LDAP and i want him to be in the group i have
> > to make to LDAP calls, one to insert the user and one other to add
> > this new user to the group. This way i might be running
> into problems
> > when data becomes inconsistent.
> > So i looked for dynamic groups or roles, where membership
> (in a group)
> > is resolved by looking for a specific attribute (and a
> specific value)
> > in the user's entry. I found some threads regarding this
> topic, but i
> > didn't found a clear solution.
> With OpenLDAP-2.2.x you may compile with the flag --with-dyngroup and
> search the docs for dynamic group overlay.
Dynamic groups are always supported for ACLs in OpenLDAP 2.2. The only thing
the dynamic group overlay (--with-dyngroup option) does is allow using
LDAPCompare to test the membership of a dynamic group. If all you need is ACL
support you don't need this option.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support