Re: [discuss] composable object types in lib389

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



One small correction here :

using newly created nsUserAccountRole and nsUserAccountRoles ( Will be used only to create filter role ) , i am creating filter roles only . This is the confusion here , we should remember filter roles are nothing but entries with o='something'. I am not touching any user here , but i am creating roles and these roles are covering the users automatically a Ludwig Krispenzs  said earlier. example-


role=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
role.create(properties=user_props, basedn=SUFFIX)


In above example just created one filer role which will cover all users having 'cn=*' in 'ou=People'. Here 'cn=tuser1,ou=People,dc=example,dc=com' is nothing but a filter role which will cover all users having 'cn=*' in 'ou=People'.

Another example as given bellow:

dn: cn=FILTERROLEENGROLE,o=acivattr1,dc=example,dc=com
cn: FILTERROLEENGROLE
nsRoleFilter: cn=*
objectClass: top
objectClass: LDAPsubentry
objectClass: nsRoleDefinition
objectClass: nsComplexRoleDefinition
objectClass: nsFilteredRoleDefinition

This above entry is nothing but filter role entry , which will cover all users in 'o=acivattr1' which has sub entries that begins with 'cn'. And this is the property of filter role .

Yes , i must say that newly created nsUserAccountRole and nsUserAccountRoles  which i renamed to  nsFilterAccountRole and nsFilterAccountRoles will only cover filter role as you cant create Filter role and other roles like Manage role all together . For my porting stuff newly created nsFilterAccountRole and nsFilterAccountRoles is more than enough because i need filter roles only .

Hope it clears all of your doubts.

Regards

Anuj Borah



On Fri, Jan 18, 2019 at 4:24 AM William Brown <wbrown@xxxxxxx> wrote:


> On 17 Jan 2019, at 19:40, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote:
>
>
> Maybe I do not understand how it works because of some lib389 magic, but I think this is not how roles work.
>
> You are  creating cn=tuser1 and cn=Anju and they will have the role objectclasses, but the benefit of roles is that you do NOT have to touch the useres to assign roles to them. There is a class of users and a class of role definitions and ONLY the change in the role definition will determine if a user has a role or not.

I think lib389 probably isn’t helping, but Ludwig’s description here is correct.

Maybe a good approach is to “setup” roles by hand, then once you have a process in mind, then you can make the lib389 parts? I generally approach things this way to understand them well.

Would that help?



Sincerely,

William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux