[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: Permission management with LDAP


I've tried your  idea. It worked well with groupOfNames.
Then I've tried to implement the memberof overlay for a user specific objectClass:
Dn: olcOverlay={1}
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: GroupOfPermissions
olcMemberOfMemberAD: permissionMember
olcMemberOfMemberOfAD: member

While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions ""
The objectClass is available on the server and is a self created objectclass.
Do I have to include some paths to announce the objectClass?

Greetings John

-----Ursprüngliche Nachricht-----
Von: Dieter Klünter [mailto:dieter@dkluenter.de] 
Gesendet: Freitag, 28. August 2015 09:36
An: Fischer, Johannes
Cc: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Fri, 28 Aug 2015 06:06:06 +0000
schrieb "Fischer, Johannes" <johannes.fischer@ipa.fraunhofer.de>:

> Hi again,
> I didn’t want to do a thread high jacking so here a second mail with a 
> complete other question
> If I’have a structure like:
> User
> -          Role
> Role
> -          User
> -          Permission
> Permission
> -          Role
> Now I want to get the authorization for some permission, So I have the 
> information which user and which Permission. Now I need to match the 
> list. The way it already work: Get all Roles for a Permission
>                 Search in the user for the Role If found Authorization 
> Else no Therefore I need at least two requests to the LDAP server

For this sort of tasks I use slapo-memberof(5) and a proper filter. 
Something like (&(uid=$1)(memberOf=myGroup))


Dieter Klünter | Systemberatung
GPG Key ID: E9ED159B