Edward Capriolo wrote:
The overlay approach is less complicated, but it doesn't appear to deal with nested groups.If you take a look at openldap it has dyamic 'overlays' . http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists. The main jist of it is that an LDAP Query can be saved in an object. This is similar in my mind to an SQL View. So nss_ldap would referece a dynamic_overlay like object and that would re-search for the actual content to be returned to the user Having the object work in this read-only sense would make it less complicated then http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit the need nicely.
The complexity of the memberOf plug-in is due to this support for nested groups. The approach of having to do multiple searches to resolve a user's nested memberships every time you just want to find out what groups you belong to would have a negative performance impact for reads over generating the memberOf attribute values when an actual membership modification is made. The assumption is that membership checks occur more often than membership changes, so performing all of the work up front when the modify takes place is best.
The plans for the memberOf plug-in is to make it more generic. The current code in CVS allows the attributes it acts on to be configurable. Other changes would need to be made to the plug-in allow it to truly be a general purpose linked attribute plug-in. In particular, the ability to turn off the nesting capability, configure multiple linked attributes, and define which suffix(es) to operate on would be very useful.It would me more generic then memberOf and I can see a lot of uses for it. Maybe another such plug in exists that I am not aware of.
2008/6/19 Richard Megginson <rmeggins@xxxxxxxxxx>:Grzegorz Marszałek wrote:Hello! I'm newbie to Fedora Directory, but is has two significant features - acl and nested roles. But I could find a way to use roles as groups. That is - I'd like to define role, and then use this to define posix group, which I can use via nss_ldap on my servers. At first glance it seems that dynamic groups will do what I want - I just defined filter to include all users with particular role in group. But unfortunately dynamic groups aren't resolved by server, you need client aplication to do that :( So the question is: is there any way to do this without writing my own slapi plugin?No, not currently. But several other users have expressed an interest in a feature like this. There is another new feature related to this concept that is currently in Fedora DS and being improved for the next version - http://directory.fedoraproject.org/wiki/MemberOf_Plugin Would you be able to create a wiki page to explain your requirements for such a feature? That would be a very good place to start designing this feature.Thanks! --- Grzegorz Marszałek graf0@xxxxxxx -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
