Greetings..
I've been searching around for the last couple of days trying to come up
with an example of a groups/roles design that works well, and have been
coming up empty... I'm working with OpenLDAP 2.2.x as my directory server...
Basically, I want to be able to have "roles" which represent operations
or groups of operations that a user is allowed to perform. I would like
these roles to be usable by both the directory server in the form of
ACLs, and also by applications.
The issue that I keep running into is the nested group issue; it seems
like it's a real pain to do anything resembling nested groups. Not to
mention that it's very directory server dependent -- all the commercial
vendors seem to do nested groups differently. And of course, OpenLDAP
doesn't really do anything to support nested groups (at least that I've
found).
How are people accomplishing this? About the best way I've come up with
so far is to have two different groups/roles sections in the namespace
-- one would hold the real membership information (including nested
groups), and the other would be genereated automatically by a script at
set intervals from the first. The second tree would contain
groups/roles with only the expanded list of members in it -- no nested
groups.
This seems hackish, and it just seems like I must be missing something...
Help is greatly appreciated!
Thanks,
--
Joseph Dickson
Unix Administrator - WEYCO, INC. | [EMAIL PROTECTED] | 800.748.0003 ext 1216
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
