Am Tue, 1 Sep 2015 06:21:34 +0000 schrieb "Fischer, Johannes" <[email protected]>:
> Hi again, > > I did not get what I want to get. > With the memberof overlay I get a structure like expected: > User > -memberOfGroup > groupOfPermission > - member > - permission > Permission > -memberOfGroup > > With every update of groupOfPermission the links to the User and > Permission class are generated. So far so good > > If I want to check if a user have some Permission, I still have to > collect the memberOfGroup attributes from the Permission class. Then > I am able to search for the corresponding link between user and > permission: like > (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup)))) This work > BUT it require two interactions with the server. This is a all-time > problem, Is there a better solution with some magic LDAP overlay. > > PS. We want a mapping of permission to User, this way a fine granular > mapping of permissions to Groups to User is possible. At every time. you may test sets http://www.openldap.org/faq/data/cache/1133.html If you do have some spare time in November, you may attend LDAP Conference 2015 at Edinburgh http://ldapcon.org/2015/ Shawn McKinney's paper on Security Access Control Engine is quite promising, and Michael Stroeder's paper on a users management system may give you some insights to your tasks. -Dieter > > -----Ursprüngliche Nachricht----- > Von: openldap-technical > [mailto:[email protected]] Im Auftrag von > Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter > Klünter Cc: [email protected] > Betreff: AW: Permission management with LDAP > > Hi, > > I've tried your idea. It worked well with groupOfNames. > Then I've tried to implement the memberof overlay for a user specific > objectClass: Dn: olcOverlay={1} > objectClass: olcConfig > objectClass: olcOverlayConfig > objectClass: olcMemberOf > olcOverlay: memberof > olcMemberOfDangling: ignore > olcMemberOfRefInt: TRUE > olcMemberOfGroupOC: GroupOfPermissions > olcMemberOfMemberAD: permissionMember > olcMemberOfMemberOfAD: member > > While adding the ldif, a "unable to find group objectClass=" > GroupOfPermissions "" The objectClass is available on the server and > is a self created objectclass. Do I have to include some paths to > announce the objectClass? > > Greetings John > > > -----Ursprüngliche Nachricht----- > Von: Dieter Klünter [mailto:[email protected]] > Gesendet: Freitag, 28. August 2015 09:36 > An: Fischer, Johannes > Cc: [email protected] > Betreff: Re: Permission management with LDAP > > Am Fri, 28 Aug 2015 06:06:06 +0000 > schrieb "Fischer, Johannes" <[email protected]>: > > > Hi again, > > > > I didn’t want to do a thread high jacking so here a second mail > > with a complete other question > > > > If I’have a structure like: > > User > > > > - Role > > Role > > > > - User > > > > - Permission > > Permission > > > > - Role > > > > Now I want to get the authorization for some permission, So I have > > the information which user and which Permission. Now I need to > > match the list. The way it already work: Get all Roles for a > > Permission Search in the user for the Role If found Authorization > > Else no Therefore I need at least two requests to the LDAP server > > For this sort of tasks I use slapo-memberof(5) and a proper filter. > Something like (&(uid=$1)(memberOf=myGroup)) > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53°37'09,95"N > 10°08'02,42"E -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
