[Date Prev][Date Next] [Chronological] [Thread] [Top]

role based authorization -> dynacl module?

To: openldap-technical@openldap.org
Subject: role based authorization -> dynacl module?
From: Daniel Tröder <troeder@univention.de>
Date: Fri, 20 Apr 2018 13:45:21 +0200
Content-language: en-US
Openpgp: id=4E657D63DD95C8A93C6F025CEBADCFE3FA80815D
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

Hello everyone,

I am in the process of implementing a role concept via ACLs and hope for
a hint so that I don't invent the wheel a second time.

Specifically, it is about identity management for schools. A user
(object) can have several roles in multiple schools. Permissions on
other LDAP objects can thus differ depending on the role(s) the user and
the object have in the same school(s).

For example, a user could have been assigned the following roles that
are scattered over several schools:
→ "Teacher" in school 1
→ "School admin" in school 2
→ "Parent" in school 3
→ both "Teacher" and "Staff" in school 4

ACLs should now be defined accordingly, e.g.
→ the role "teacher" at school X can reset the password for the role
"student" at school X
→ the role "teacher" at school X *cannot* reset the password for the
role "student" of school Y
→ the role "school administrator" at school X can reset the password for
the roles "student" and "teacher" at school X
→ ...

So far I have not seen any way to map such a construct via groups or
sets without including a separate ACL for each group, which is a
performance issue.
Is there another way to map the role concept besides implementing an own
 dynacl module?

Greetings,
Daniel

Follow-Ups:
- Re: role based authorization -> dynacl module?
  - From: Howard Chu <hyc@symas.com>
- Re: role based authorization -> dynacl module?
  - From: Shawn McKinney <smckinney@symas.com>

Prev by Date: Re: exempt some users from OpenLDAP password policy
Next by Date: Re: role based authorization -> dynacl module?
Index(es):
- Chronological
- Thread