[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Adding delegation of authority to the current LDAP structure?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05-03-2005 20:05, Andreas Schuldei wrote:
> On Sat, Mar 05, 2005 at 12:38:13PM +0100, Petter Reinholdtsen wrote:
> 
>>Is it
>>possible to adjust the current LDAP configuration to grant password
>>change access to a group of LDAP users?  I would like to grant such
>>access to all users in the teacher group.

> Since i became aware of the ongoing discussion i consulted again
> with some openldap deities and was told that even they did not
> know the answer to this problem. 

Does that mean that there's a third approach (in addition to using
experimental software and changing LDAP structure): "Wait until someone
figures out a clever filter expression"?


> Research is ongoing. There are ACIs which could perhaps solve the
> problem. http://www.openldap.org/faq/data/cache/634.html
> 
> ACIs are still experimental and not enabled in the debian
> packages, because their interface is about to change. we could
> compile our own openldap packages, see if we wont run into libary
> compatibility problems and if not deal with the changing
> interface at a later point in time.

Do "experimental" only mean "their interface is about to change" or also
"it is not tested much and may turn out to work unreliably"?


>>I suspect this is
>>impossible without changing the structure of the LDAP tree, and we do
>>not want to do that as it would make the existing installations
>>incompatible.
> 
> 
> Alternatively to the present ldap structure we could express the
> membership in authority groups by placing students in
> ou=Students,ou=People,..., teachers in ou=Teachers,ou=People,
> etc. 

Do I understand it correctly that this approach is actually to make the
role be the location in the LDAP tree? Isn't it likely to have students
becoming part time teachers, teachers that are also administrators, and
even students that are (junior) admins?


 - Jonas

- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 - Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCKg1Jn7DbMsAkQLgRAukaAJ989wONBejwvywFPxUiNzxuNRAJsACgp4Z5
wBtGeO5QD9c7sGJRUmeJ6qo=
=GJEu
-----END PGP SIGNATURE-----



Reply to: