Re: Adding delegation of authority to the current LDAP structure?

To: Petter Reinholdtsen <pere@hungry.com>
Cc: debian-edu@lists.debian.org
Subject: Re: Adding delegation of authority to the current LDAP structure?
From: andreas@schuldei.org (Andreas Schuldei)
Date: Sat, 5 Mar 2005 20:05:35 +0100
Message-id: <[🔎] 20050305190535.GA3835@schuldei.org>
In-reply-to: <[🔎] E1D7Xbp-00002g-EF@saruman.uio.no>
References: <[🔎] E1D7Xbp-00002g-EF@saruman.uio.no>

On Sat, Mar 05, 2005 at 12:38:13PM +0100, Petter Reinholdtsen wrote:
> Is it
> possible to adjust the current LDAP configuration to grant password
> change access to a group of LDAP users?  I would like to grant such
> access to all users in the teacher group.

i was told it was wise to not let every teacher change passwords,
so we created the Junior Admins group, which is supposed to
contain the teachers capable to change passwords. is that ok?

We have a flexible ldap structure where people's roles and group
memberships are expressed by the groups they are members of, not
the place where their entry is placed in the ldap tree. 

Now the problem is that we need slapd to do this:

members in group A can read/write to certain attributes of entries in
group B.
members in group C can read/write to certain attributes of entries in
group A and B and C.

So we filter both the subject and the object of our ACL based on
group membership.

Since i became aware of the ongoing discussion i consulted again
with some openldap deities and was told that even they did not
know the answer to this problem. 

Research is ongoing. There are ACIs which could perhaps solve the
problem. http://www.openldap.org/faq/data/cache/634.html

ACIs are still experimental and not enabled in the debian
packages, because their interface is about to change. we could
compile our own openldap packages, see if we wont run into libary
compatibility problems and if not deal with the changing
interface at a later point in time.

> I suspect this is
> impossible without changing the structure of the LDAP tree, and we do
> not want to do that as it would make the existing installations
> incompatible.

Alternatively to the present ldap structure we could express the
membership in authority groups by placing students in
ou=Students,ou=People,..., teachers in ou=Teachers,ou=People,
etc. 

Then a person could not be a teacher and a jradmin/admin at the
same time, but we could filter on the regex (eg "Teachers",
"Students", "Admins" etc) in the DN to tell what kind of person
is trying to access data on which other kind.

that would require to rip apart the existing ldap tree and
migrate people to different subtrees. i think this could be done
in fix_ldif. That would take care of the upgrade path. People
would need to create new accounts for jradmins and admins, since
it would not be possible to be in more then one authority group
any more.

do we want this?

Reply to:

Follow-Ups:
- Re: Adding delegation of authority to the current LDAP structure?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Adding delegation of authority to the current LDAP structure?
  - From: Jonas Smedegaard <dr@jones.dk>

References:
- Adding delegation of authority to the current LDAP structure?
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: Adding delegation of authority to the current LDAP structure?
Next by Date: Re: Adding delegation of authority to the current LDAP structure?
Previous by thread: Re: Adding delegation of authority to the current LDAP structure?
Next by thread: Re: Adding delegation of authority to the current LDAP structure?
Index(es):
- Date
- Thread