[Date Prev][Date Next] [Chronological] [Thread] [Top]

group inheritance (reasonable facsimile)



Hello,

I know that LDAP doesn't really support inheritance or anything fancy
like that but what I'm looking for is a way to do the following:

I am setting up a system for authentication and attempting to grant
certain rights on certain domains to users and groups of users. Take the
following hierarchy as an example:

dc=my_directory
--ou=groups
----cn=Administrators (groupOfUniqueNames) containing user1 from users
--ou=users
----cn=user1
----cn=user2
----cn=special_user
--ou=rights_map
----ou=domain1
------cn=read_access (groupOfUniqueNames)
                     contains user2 and the group Administrators
------cn=write_access (groupOfUniqueNames)
                      contains Administrators group and special_user
------cn=other_access (groupOfUniqueNames)
                      contains Administrators group
----ou=domain2
etc...
Then I want to set up ACL's like the following:

access to
dn.regex="^(cn=[^,]+,[^,]+(,?[^,]*,?)*ou=rights_map,dc=my_directory)$"
  attrs=entry
  by group/groupOfUniqueNames/uniqueMember.expand="$1" read

So in theory a piece of software connects to ldap and tests whether the
user can read the authentication mode (read_access write_access etc)
from a given domain. If so the user has that type of access otherwise
not. I have a system set up that works all except the case where the
user is not explicitly placed in the group for the desired right. If
only the group containing his user is there it does not work. 

Now this makes perfect sense to me because the rights group contains the
DN of the user group but knows nothing of the users within that group.

Is there any way around this? Group recursion I would think is a highly
desireable feature. If it can't work exactly the way I'm hoping I'm open
to suggestions.

Thanks.

Lee Jensen