Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   dynamic group expansion: writing a patch... (http://www.linux-archive.org/fedora-directory/372657-dynamic-group-expansion-writing-patch.html)

Roberto Polli 05-18-2010 01:30 PM

dynamic group expansion: writing a patch...
 
Hi all,

I'd like to start a patch on dynamic group expansion, but dunno where to
start.

Can you point me?

Should be something like reusing VLV code?

Thx+Peace,
R-


--

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altresė a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 05-18-2010 02:28 PM

dynamic group expansion: writing a patch...
 
Roberto Polli wrote:
> Hi all,
>
> I'd like to start a patch on dynamic group expansion, but dunno where to
> start.
>
> Can you point me?
>
> Should be something like reusing VLV code?
>
No, probably not VLV. I would start with the member of plugin code.
Member of already does something similar to dynamic group expansion, but
in the opposite direction.
Source (git) information -
http://directory.fedoraproject.org/wiki/Developers
Git repo - http://git.fedorahosted.org/git/?p=389/ds.git;a=summary
member of plugin -
http://git.fedorahosted.org/git/?p=389/ds.git;a=tree;f=ldap/servers/plugins/memberof
> Thx+Peace,
> R-
>
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Roberto Polli 05-18-2010 03:39 PM

dynamic group expansion: writing a patch...
 
On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote:
> ...I would start with the member of plugin code.
I'll take a look.

do you think it will be better to extend memberof plugin or play directly into
the group entry

thx+Peace,
R.

--

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altresė a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 05-18-2010 03:48 PM

dynamic group expansion: writing a patch...
 
Roberto Polli wrote:
> On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote:
>
>> ...I would start with the member of plugin code.
>>
> I'll take a look.
>
> do you think it will be better to extend memberof plugin or play directly into
> the group entry
>
not sure what you mean by "play directly into the group entry"

You might be able to do this by extending the member of plugin. With
dynamic groups, you will probably still want to have the member of
functionality, and it should work with member of when using static
groups too.

static group:
cn=groupA,....
objectclass: groupOfNames
member: uid=foo,... <- static member - must add/delete manually
member: uid=bar,... <- static member - must add/delete manually

dynamic group:
cn=groupB,...
objectclass: groupOfDynNames <- need new objectclass that has both url
specifier attribute and member attribute
memberURL: ldap:///ou=people?sub?(ou=myorg) <- specifies which entries
are members
member: uid=foo,... <- dynamic member - plugin adds this
member: uid=bar,... <- dynamic member - plugin adds this

uid=foo,ou=people,...
ou: myorg
memberof: cn=groupA,.... <- plugin adds this
memberof: cn=groupB,.... <- plugin adds this
> thx+Peace,
> R.
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Nathan Kinder 05-18-2010 04:37 PM

dynamic group expansion: writing a patch...
 
On 05/18/2010 08:48 AM, Rich Megginson wrote:
> Roberto Polli wrote:
>
>> On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote:
>>
>>
>>> ...I would start with the member of plugin code.
>>>
>>>
>> I'll take a look.
>>
>> do you think it will be better to extend memberof plugin or play directly into
>> the group entry
>>
>>
> not sure what you mean by "play directly into the group entry"
>
> You might be able to do this by extending the member of plugin. With
> dynamic groups, you will probably still want to have the member of
> functionality, and it should work with member of when using static
> groups too.
>
The difficult part is going to be making the memberOf plug-in work with
dynamic groups.

Is the idea to have the "member" attributes be virtual attributes that
are generated on the fly when a client performs a search for the group?
I'm not quite sure how this approach can be made to work with the
memberOf plug-in since it is triggered by write operations that affect
group membership.
> static group:
> cn=groupA,....
> objectclass: groupOfNames
> member: uid=foo,...<- static member - must add/delete manually
> member: uid=bar,...<- static member - must add/delete manually
>
> dynamic group:
> cn=groupB,...
> objectclass: groupOfDynNames<- need new objectclass that has both url
> specifier attribute and member attribute
> memberURL: ldap:///ou=people?sub?(ou=myorg)<- specifies which entries
> are members
> member: uid=foo,...<- dynamic member - plugin adds this
> member: uid=bar,...<- dynamic member - plugin adds this
>
> uid=foo,ou=people,...
> ou: myorg
> memberof: cn=groupA,....<- plugin adds this
> memberof: cn=groupB,....<- plugin adds this
>
>> thx+Peace,
>> R.
>>
>>
>>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 05-18-2010 04:50 PM

dynamic group expansion: writing a patch...
 
Nathan Kinder wrote:
> On 05/18/2010 08:48 AM, Rich Megginson wrote:
>
>> Roberto Polli wrote:
>>
>>
>>> On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote:
>>>
>>>
>>>
>>>> ...I would start with the member of plugin code.
>>>>
>>>>
>>>>
>>> I'll take a look.
>>>
>>> do you think it will be better to extend memberof plugin or play directly into
>>> the group entry
>>>
>>>
>>>
>> not sure what you mean by "play directly into the group entry"
>>
>> You might be able to do this by extending the member of plugin. With
>> dynamic groups, you will probably still want to have the member of
>> functionality, and it should work with member of when using static
>> groups too.
>>
>>
> The difficult part is going to be making the memberOf plug-in work with
> dynamic groups.
>
> Is the idea to have the "member" attributes be virtual attributes that
> are generated on the fly when a client performs a search for the group?
>
That might work, as long as you don't have to support searches in
dynamic group entries like (member=someUserDN)
> I'm not quite sure how this approach can be made to work with the
> memberOf plug-in since it is triggered by write operations that affect
> group membership.
>
However it works, it should work with memberof and generate memberof
attributes in user entries, whether the group is static or dynamic.

I suppose it would work a little like persistent search - on every
update operation (not just group updates, but all updates), it would
have to scan every dynamic group entry, looking at the pre-update entry
and the post-update entry. If the pre-update entry does not match the
dynamic group definition, but the post-update entry does match the
dynamic group definition, then you add the DN of that entry to the
member attribute in the group entry. If the pre-update matches but not
the post-update, you have to remove the member.
>> static group:
>> cn=groupA,....
>> objectclass: groupOfNames
>> member: uid=foo,...<- static member - must add/delete manually
>> member: uid=bar,...<- static member - must add/delete manually
>>
>> dynamic group:
>> cn=groupB,...
>> objectclass: groupOfDynNames<- need new objectclass that has both url
>> specifier attribute and member attribute
>> memberURL: ldap:///ou=people?sub?(ou=myorg)<- specifies which entries
>> are members
>> member: uid=foo,...<- dynamic member - plugin adds this
>> member: uid=bar,...<- dynamic member - plugin adds this
>>
>> uid=foo,ou=people,...
>> ou: myorg
>> memberof: cn=groupA,....<- plugin adds this
>> memberof: cn=groupB,....<- plugin adds this
>>
>>
>>> thx+Peace,
>>> R.
>>>
>>>
>>>
>>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Nathan Kinder 05-18-2010 05:37 PM

dynamic group expansion: writing a patch...
 
On 05/18/2010 09:50 AM, Rich Megginson wrote:
> Nathan Kinder wrote:
>
>> On 05/18/2010 08:48 AM, Rich Megginson wrote:
>>
>>
>>> Roberto Polli wrote:
>>>
>>>
>>>
>>>> On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> ...I would start with the member of plugin code.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I'll take a look.
>>>>
>>>> do you think it will be better to extend memberof plugin or play directly into
>>>> the group entry
>>>>
>>>>
>>>>
>>>>
>>> not sure what you mean by "play directly into the group entry"
>>>
>>> You might be able to do this by extending the member of plugin. With
>>> dynamic groups, you will probably still want to have the member of
>>> functionality, and it should work with member of when using static
>>> groups too.
>>>
>>>
>>>
>> The difficult part is going to be making the memberOf plug-in work with
>> dynamic groups.
>>
>> Is the idea to have the "member" attributes be virtual attributes that
>> are generated on the fly when a client performs a search for the group?
>>
>>
> That might work, as long as you don't have to support searches in
> dynamic group entries like (member=someUserDN)
>
>> I'm not quite sure how this approach can be made to work with the
>> memberOf plug-in since it is triggered by write operations that affect
>> group membership.
>>
>>
> However it works, it should work with memberof and generate memberof
> attributes in user entries, whether the group is static or dynamic.
>
> I suppose it would work a little like persistent search - on every
> update operation (not just group updates, but all updates), it would
> have to scan every dynamic group entry, looking at the pre-update entry
> and the post-update entry. If the pre-update entry does not match the
> dynamic group definition, but the post-update entry does match the
> dynamic group definition, then you add the DN of that entry to the
> member attribute in the group entry. If the pre-update matches but not
> the post-update, you have to remove the member.
>
I think this approach is best, assuming you are saying that the member
of value is actually added to the group entry (not a virtual
attribute). This could be implemented as a new post-op plug-in. If
plug-in ordering is used to have this new plug-in invoked before the
memberOf plug-in, then the memberOf feature should work fine.
>>> static group:
>>> cn=groupA,....
>>> objectclass: groupOfNames
>>> member: uid=foo,...<- static member - must add/delete manually
>>> member: uid=bar,...<- static member - must add/delete manually
>>>
>>> dynamic group:
>>> cn=groupB,...
>>> objectclass: groupOfDynNames<- need new objectclass that has both url
>>> specifier attribute and member attribute
>>> memberURL: ldap:///ou=people?sub?(ou=myorg)<- specifies which entries
>>> are members
>>> member: uid=foo,...<- dynamic member - plugin adds this
>>> member: uid=bar,...<- dynamic member - plugin adds this
>>>
>>> uid=foo,ou=people,...
>>> ou: myorg
>>> memberof: cn=groupA,....<- plugin adds this
>>> memberof: cn=groupB,....<- plugin adds this
>>>
>>>
>>>
>>>> thx+Peace,
>>>> R.
>>>>
>>>>
>>>>
>>>>
>>>>
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 05-18-2010 05:40 PM

dynamic group expansion: writing a patch...
 
Nathan Kinder wrote:
> On 05/18/2010 09:50 AM, Rich Megginson wrote:
>
>> Nathan Kinder wrote:
>>
>>
>>> On 05/18/2010 08:48 AM, Rich Megginson wrote:
>>>
>>>
>>>
>>>> Roberto Polli wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> ...I would start with the member of plugin code.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> I'll take a look.
>>>>>
>>>>> do you think it will be better to extend memberof plugin or play directly into
>>>>> the group entry
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> not sure what you mean by "play directly into the group entry"
>>>>
>>>> You might be able to do this by extending the member of plugin. With
>>>> dynamic groups, you will probably still want to have the member of
>>>> functionality, and it should work with member of when using static
>>>> groups too.
>>>>
>>>>
>>>>
>>>>
>>> The difficult part is going to be making the memberOf plug-in work with
>>> dynamic groups.
>>>
>>> Is the idea to have the "member" attributes be virtual attributes that
>>> are generated on the fly when a client performs a search for the group?
>>>
>>>
>>>
>> That might work, as long as you don't have to support searches in
>> dynamic group entries like (member=someUserDN)
>>
>>
>>> I'm not quite sure how this approach can be made to work with the
>>> memberOf plug-in since it is triggered by write operations that affect
>>> group membership.
>>>
>>>
>>>
>> However it works, it should work with memberof and generate memberof
>> attributes in user entries, whether the group is static or dynamic.
>>
>> I suppose it would work a little like persistent search - on every
>> update operation (not just group updates, but all updates), it would
>> have to scan every dynamic group entry, looking at the pre-update entry
>> and the post-update entry. If the pre-update entry does not match the
>> dynamic group definition, but the post-update entry does match the
>> dynamic group definition, then you add the DN of that entry to the
>> member attribute in the group entry. If the pre-update matches but not
>> the post-update, you have to remove the member.
>>
>>
> I think this approach is best, assuming you are saying that the member
> of value is actually added to the group entry (not a virtual
> attribute).
Yes, a real attribute, not virtual. The member attribute in the dynamic
group entry would be a real attribute.
> This could be implemented as a new post-op plug-in. If
> plug-in ordering is used to have this new plug-in invoked before the
> memberOf plug-in, then the memberOf feature should work fine.
>
Ok.
>>>> static group:
>>>> cn=groupA,....
>>>> objectclass: groupOfNames
>>>> member: uid=foo,...<- static member - must add/delete manually
>>>> member: uid=bar,...<- static member - must add/delete manually
>>>>
>>>> dynamic group:
>>>> cn=groupB,...
>>>> objectclass: groupOfDynNames<- need new objectclass that has both url
>>>> specifier attribute and member attribute
>>>> memberURL: ldap:///ou=people?sub?(ou=myorg)<- specifies which entries
>>>> are members
>>>> member: uid=foo,...<- dynamic member - plugin adds this
>>>> member: uid=bar,...<- dynamic member - plugin adds this
>>>>
>>>> uid=foo,ou=people,...
>>>> ou: myorg
>>>> memberof: cn=groupA,....<- plugin adds this
>>>> memberof: cn=groupB,....<- plugin adds this
>>>>
>>>>
>>>>
>>>>
>>>>> thx+Peace,
>>>>> R.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>>
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 09:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.