[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: reverse membership and permissions

Jason Dusek wrote:
  I'm curious about the intended permissions model for reverse
  group membership:


  Consider the case where a user should only have write access to
  their own attributes and a friends groups to which they can add
  their friends. The reverse group membership overlay is used to
  propogate `memberOf` of attributes to all the users that they
  add to their group of friends. We do it this way because
  'denormalizations' of this kind are helpful for query

  For this application, it seems right for the overlay to
  propogate changes that a user does not have permission to
  execute themselves -- we don't have to let a user know who
  anybody else's friends are, for example; nor can they change
  that attribute.

  If this can be added, it'd be great. If it's already possible,
  I'd appreciate it if it were part of the documentation.

It's possible and already documented in the man page (man slapo-memberof):

memberof-dn <dn>
The value <dn> contains the DN that is used as modifiersName fo r internal modifications performed to update the reverse group membership. It defaults to the rootdn of the underlying database.

Kind Regards,

Gavin Henry.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).


Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.