Re: Adding delegation of authority to the current LDAP structure?
[Andreas Schuldei]
> i was told it was wise to not let every teacher change passwords,
> so we created the Junior Admins group, which is supposed to
> contain the teachers capable to change passwords. is that ok?
Yes. I used 'teacher' just as an example to make it clear that this
access should be available only to a limited set of users.
>
> Now the problem is that we need slapd to do this:
>
> members in group A can read/write to certain attributes of entries in
> group B.
> members in group C can read/write to certain attributes of entries in
> group A and B and C.
>
> So we filter both the subject and the object of our ACL based on
> group membership.
Would it be ok for the users with extra rights to be able to modify
the passwords of _all_ users, or should the extra rights be limited to
the pupils only? In short, should the junior admins be allowed to
change the password of teachers, admins and junior admins in addition
to changing the password of pupils, or should they only have access to
changing passwords for pupils?
I suspect it might be easier to allow junior admins to change
passwords of _all_ users. What do you think?
> ACIs are still experimental and not enabled in the debian
> packages, because their interface is about to change. we could
> compile our own openldap packages, see if we wont run into libary
> compatibility problems and if not deal with the changing
> interface at a later point in time.
I'm not too happy with diverting that far from the current debian
packages. We should try hard to avoid it.
> do we want this?
Not if we can avoid it. :)
Reply to: