[Date Prev][Date Next] [Chronological] [Thread] [Top]

reverse membership and permissions

To: openldap-software@openldap.org
Subject: reverse membership and permissions
From: "Jason Dusek" <jason.dusek@gmail.com>
Date: Mon, 16 Jun 2008 15:19:49 -0700
Content-disposition: inline

  I'm curious about the intended permissions model for reverse
  group membership:

    http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance

  Consider the case where a user should only have write access to
  their own attributes and a friends groups to which they can add
  their friends. The reverse group membership overlay is used to
  propogate `memberOf` of attributes to all the users that they
  add to their group of friends. We do it this way because
  'denormalizations' of this kind are helpful for query
  efficiency.

  For this application, it seems right for the overlay to
  propogate changes that a user does not have permission to
  execute themselves -- we don't have to let a user know who
  anybody else's friends are, for example; nor can they change
  that attribute.

  If this can be added, it'd be great. If it's already possible,
  I'd appreciate it if it were part of the documentation.

-- 
_jsn

Follow-Ups:
- Re: reverse membership and permissions
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: slapo-rwm and map attribute
Next by Date: Re: syncrepl in OpenLDAP 2.3.x and updating on a replica
Index(es):
- Chronological
- Thread