Re: "Roles" in OpenLDAP?

[Peter Marschall <peter@adpm.de>]

Hi,

On Sunday 28 March 2004 20:36, Nikos Voutsinas wrote:
> The point  here is: does openldap support *server-side dynamic roles* ?
> Not groups but roles! If not, then is there any other method, that may
> take advantage of openldap dynamic groups, in order to simplify the
> procedure I described in the previous paragraph?
>
> The issue I raised in my initial mail is that even if openldap provides
> (or will provide) an operational attribute that is going to be used as
> server-side dynamic role, this attribute should not be used by any
> external application unless there is a way to define more than one
> service specific, server-side dynamic role, (radius-role,
> yourapplication-role etc etc), where each xxx-role is related with a
> specific set of filters.
>
> Anyway, I suspect that openldap dynamic groups are not what the
> community describes as server-side dynamic roles. If that is the case,
> most probably it was my mistake to initiate this thread


Maybe we did not get exactly what the notion "server-side dynamic roles"
means to you exactly.
Escpecially what differentiates them from server-side dynamic groups.

In my understanding a role is a group + rights bound to that group.
LDAP directories are usually used to store the "group part" of roles
while the associations between groups and the rights are done in the 
applications themselves.
E.g. consider Apache: while it can use various modules to read group 
memberships from (SQL, LDAP, ...) the assiciation between the
rights to a specific page and the entitled users/groups is done in httpd.conf 

Peter

-- 
Peter Marschall
eMail: peter@adpm.de