other authority groups?
I am working on the access control handling for user passwords (and other attributes)
i am just now trying to come up with a generic algorythm to determine who is allowed to
write to a user's ldap entry, depending on which authority groups he is in.
right now we have theses authority groups by default: admins, jradmins, teachers and students
the basic rule is simple:
- if a person is in the admins group , no one can write to his
- if he is in jradmins, his entry is writeable by members of the
group admins and
- if he is in student or teacher he is writeable by both admins
but we have authority_groups as a flexible thing. that means
people can add new authority groups.
question: what other authority groups are possible/likey? would
they interfer with the above algorithm? what would be a good way
to make this configurable by the local admin? (a config file in
/etc/? how could that look like?)