Jason Dusek wrote:
I'm curious about the intended permissions model for reverse
group membership:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance
Consider the case where a user should only have write access to
their own attributes and a friends groups to which they can add
their friends. The reverse group membership overlay is used to
propogate `memberOf` of attributes to all the users that they
add to their group of friends. We do it this way because
'denormalizations' of this kind are helpful for query
efficiency.
For this application, it seems right for the overlay to
propogate changes that a user does not have permission to
execute themselves -- we don't have to let a user know who
anybody else's friends are, for example; nor can they change
that attribute.
If this can be added, it'd be great. If it's already possible,
I'd appreciate it if it were part of the documentation.
It's possible and already documented in the man page (man slapo-memberof):
memberof-dn <dn>
The value <dn> contains the DN that is used as modifiersName fo r
internal modifications performed to update the reverse group membership.
It defaults to the rootdn of the underlying database.
--
Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E [EMAIL PROTECTED]
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
