FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-19-2008, 12:01 PM
Grzegorz Marszałek
 
Default newbie question - roles AND groups?

Hello!

I'm newbie to Fedora Directory, but is has two significant features -
acl and nested roles.


But I could find a way to use roles as groups. That is - I'd like to
define role, and then use this to define posix group, which I can use
via nss_ldap on my servers. At first glance it seems that dynamic
groups will do what I want - I just defined filter to include all
users with particular role in group. But unfortunately dynamic groups
aren't resolved by server, you need client aplication to do that


So the question is: is there any way to do this without writing my own
slapi plugin?


Thanks!
---
Grzegorz Marszałek
graf0@post.pl



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-19-2008, 01:40 PM
Richard Megginson
 
Default newbie question - roles AND groups?

Grzegorz Marszałek wrote:

Hello!

I'm newbie to Fedora Directory, but is has two significant features -
acl and nested roles.


But I could find a way to use roles as groups. That is - I'd like to
define role, and then use this to define posix group, which I can use
via nss_ldap on my servers. At first glance it seems that dynamic
groups will do what I want - I just defined filter to include all
users with particular role in group. But unfortunately dynamic groups
aren't resolved by server, you need client aplication to do that



So the question is: is there any way to do this without writing my own
slapi plugin?
No, not currently. But several other users have expressed an interest
in a feature like this. There is another new feature related to this
concept that is currently in Fedora DS and being improved for the next
version - http://directory.fedoraproject.org/wiki/MemberOf_Plugin


Would you be able to create a wiki page to explain your requirements for
such a feature? That would be a very good place to start designing this
feature.


Thanks!
---
Grzegorz Marszałek
graf0@post.pl



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-19-2008, 03:25 PM
"Edward Capriolo"
 
Default newbie question - roles AND groups?

If you take a look at openldap it has dyamic 'overlays' .
http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists.

The main jist of it is that an LDAP Query can be saved in an object.
This is similar in my mind to an SQL View.

So nss_ldap would referece a dynamic_overlay like object and that
would re-search for the actual content to be returned to the user
Having the object work in this read-only sense would make it less
complicated then
http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit
the need nicely.
It would me more generic then memberOf and I can see a lot of uses for
it. Maybe another such plug in exists that I am not aware of.


2008/6/19 Richard Megginson <rmeggins@redhat.com>:
> Grzegorz Marszałek wrote:
>>
>> Hello!
>>
>> I'm newbie to Fedora Directory, but is has two significant features - acl
>> and nested roles.
>>
>> But I could find a way to use roles as groups. That is - I'd like to
>> define role, and then use this to define posix group, which I can use via
>> nss_ldap on my servers. At first glance it seems that dynamic groups will do
>> what I want - I just defined filter to include all users with particular
>> role in group. But unfortunately dynamic groups aren't resolved by server,
>> you need client aplication to do that
>>
>>
>> So the question is: is there any way to do this without writing my own
>> slapi plugin?
>
> No, not currently. But several other users have expressed an interest in a
> feature like this. There is another new feature related to this concept
> that is currently in Fedora DS and being improved for the next version -
> http://directory.fedoraproject.org/wiki/MemberOf_Plugin
>
> Would you be able to create a wiki page to explain your requirements for
> such a feature? That would be a very good place to start designing this
> feature.
>>
>> Thanks!
>> ---
>> Grzegorz Marszałek
>> graf0@post.pl
>>
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-19-2008, 03:48 PM
Grzegorz Marszałek
 
Default newbie question - roles AND groups?

Hi!


Would you be able to create a wiki page to explain your requirements
for such a feature? That would be a very good place to start
designing this feature.

http://directory.fedoraproject.org/wiki/RolesAsGroupsRequirements

I've got little carried away
And sorry for my english.




Bye
---
Grzegorz Marszałek
graf0@post.pl



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-19-2008, 04:41 PM
Nathan Kinder
 
Default newbie question - roles AND groups?

Edward Capriolo wrote:

If you take a look at openldap it has dyamic 'overlays' .
http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists.

The main jist of it is that an LDAP Query can be saved in an object.
This is similar in my mind to an SQL View.

So nss_ldap would referece a dynamic_overlay like object and that
would re-search for the actual content to be returned to the user
Having the object work in this read-only sense would make it less
complicated then
http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit
the need nicely.

The overlay approach is less complicated, but it doesn't appear to deal
with nested groups.


The complexity of the memberOf plug-in is due to this support for nested
groups. The approach of having to do multiple searches to resolve a
user's nested memberships every time you just want to find out what
groups you belong to would have a negative performance impact for reads
over generating the memberOf attribute values when an actual membership
modification is made. The assumption is that membership checks occur
more often than membership changes, so performing all of the work up
front when the modify takes place is best.

It would me more generic then memberOf and I can see a lot of uses for
it. Maybe another such plug in exists that I am not aware of.

The plans for the memberOf plug-in is to make it more generic. The
current code in CVS allows the attributes it acts on to be
configurable. Other changes would need to be made to the plug-in allow
it to truly be a general purpose linked attribute plug-in. In
particular, the ability to turn off the nesting capability, configure
multiple linked attributes, and define which suffix(es) to operate on
would be very useful.


2008/6/19 Richard Megginson <rmeggins@redhat.com>:


Grzegorz Marszałek wrote:


Hello!

I'm newbie to Fedora Directory, but is has two significant features - acl
and nested roles.

But I could find a way to use roles as groups. That is - I'd like to
define role, and then use this to define posix group, which I can use via
nss_ldap on my servers. At first glance it seems that dynamic groups will do
what I want - I just defined filter to include all users with particular
role in group. But unfortunately dynamic groups aren't resolved by server,
you need client aplication to do that


So the question is: is there any way to do this without writing my own
slapi plugin?


No, not currently. But several other users have expressed an interest in a
feature like this. There is another new feature related to this concept
that is currently in Fedora DS and being improved for the next version -
http://directory.fedoraproject.org/wiki/MemberOf_Plugin

Would you be able to create a wiki page to explain your requirements for
such a feature? That would be a very good place to start designing this
feature.


Thanks!
---
Grzegorz Marszałek
graf0@post.pl



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-19-2008, 05:20 PM
"Edward Capriolo"
 
Default newbie question - roles AND groups?

That would be great for netgroups, that would solve one of the big
drawbacks of netgroups in LDAP, being able to quickly query and see
who has access to what system. Otherwise you need the client
application to figure it out.


2008/6/19 Nathan Kinder <nkinder@redhat.com>:
> Edward Capriolo wrote:
>>
>> If you take a look at openldap it has dyamic 'overlays' .
>> http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists.
>>
>> The main jist of it is that an LDAP Query can be saved in an object.
>> This is similar in my mind to an SQL View.
>>
>> So nss_ldap would referece a dynamic_overlay like object and that
>> would re-search for the actual content to be returned to the user
>> Having the object work in this read-only sense would make it less
>> complicated then
>> http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit
>> the need nicely.
>>
>
> The overlay approach is less complicated, but it doesn't appear to deal with
> nested groups.
>
> The complexity of the memberOf plug-in is due to this support for nested
> groups. The approach of having to do multiple searches to resolve a user's
> nested memberships every time you just want to find out what groups you
> belong to would have a negative performance impact for reads over generating
> the memberOf attribute values when an actual membership modification is
> made. The assumption is that membership checks occur more often than
> membership changes, so performing all of the work up front when the modify
> takes place is best.
>>
>> It would me more generic then memberOf and I can see a lot of uses for
>> it. Maybe another such plug in exists that I am not aware of.
>>
>
> The plans for the memberOf plug-in is to make it more generic. The current
> code in CVS allows the attributes it acts on to be configurable. Other
> changes would need to be made to the plug-in allow it to truly be a general
> purpose linked attribute plug-in. In particular, the ability to turn off
> the nesting capability, configure multiple linked attributes, and define
> which suffix(es) to operate on would be very useful.
>>
>> 2008/6/19 Richard Megginson <rmeggins@redhat.com>:
>>
>>>
>>> Grzegorz Marszałek wrote:
>>>
>>>>
>>>> Hello!
>>>>
>>>> I'm newbie to Fedora Directory, but is has two significant features -
>>>> acl
>>>> and nested roles.
>>>>
>>>> But I could find a way to use roles as groups. That is - I'd like to
>>>> define role, and then use this to define posix group, which I can use
>>>> via
>>>> nss_ldap on my servers. At first glance it seems that dynamic groups
>>>> will do
>>>> what I want - I just defined filter to include all users with particular
>>>> role in group. But unfortunately dynamic groups aren't resolved by
>>>> server,
>>>> you need client aplication to do that
>>>>
>>>>
>>>> So the question is: is there any way to do this without writing my own
>>>> slapi plugin?
>>>>
>>>
>>> No, not currently. But several other users have expressed an interest in
>>> a
>>> feature like this. There is another new feature related to this concept
>>> that is currently in Fedora DS and being improved for the next version -
>>> http://directory.fedoraproject.org/wiki/MemberOf_Plugin
>>>
>>> Would you be able to create a wiki page to explain your requirements for
>>> such a feature? That would be a very good place to start designing this
>>> feature.
>>>
>>>>
>>>> Thanks!
>>>> ---
>>>> Grzegorz Marszałek
>>>> graf0@post.pl
>>>>
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-19-2008, 11:17 PM
Richard Megginson
 
Default newbie question - roles AND groups?

Grzegorz Marszałek wrote:

Hi!


Would you be able to create a wiki page to explain your requirements
for such a feature? That would be a very good place to start
designing this feature.

http://directory.fedoraproject.org/wiki/RolesAsGroupsRequirements

I've got little carried away
And sorry for my english.

This is very good. Thanks!
What do other people think? Interesting?




Bye
---
Grzegorz Marszałek
graf0@post.pl



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 12:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org