[Date Prev][Date Next]
Re: need transactions in openldap 2.3.*
Dmitriy Kirhlarov wrote:
Now we are using ldap-tree for auth several services on many hosts.
We have two types of admins (admin1 and admin2 roles) and I want
- admin1 can edit cn=usergroup1, but can't edit cn=usergroup2.
- admin2 can edit both.
(I know how I can do it).
User can be registered in both groups, or just in one.
We are developing our own ldap admin-tool for usermanagement.
When user gone, we removing his id from all groups and lock his
account. Usualy, this is work for admin1.
We need this behavior of our tool:
If we can't remove user id from some group (inusufficient access), we
do nothing. Just answer to admin1 "You can't remove user from group2
-- ask admin2".
For this behavior we need either transactions or some easy way to
check our access rights for all entries which we want to modify.
Afaik, transactions are not feasible for our case.
What about checking access rights on client side without performing
I think the NoOp control will suffice here. It will do all of the checks
for the modification (including access control) without actually
committing the changes.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/