Re: Adding delegation of authority to the current LDAP structure?

To: Jonas Smedegaard <dr@jones.dk>
Cc: Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Re: Adding delegation of authority to the current LDAP structure?
From: andreas@schuldei.org (Andreas Schuldei)
Date: Sat, 5 Mar 2005 21:34:09 +0100
Message-id: <[🔎] 20050305203409.GA4129@schuldei.org>
In-reply-to: <[🔎] 422A0D4A.5080309@jones.dk>
References: <[🔎] E1D7Xbp-00002g-EF@saruman.uio.no> <[🔎] 20050305190535.GA3835@schuldei.org> <[🔎] 422A0D4A.5080309@jones.dk>

On Sat, Mar 05, 2005 at 08:49:30PM +0100, Jonas Smedegaard wrote:
> On 05-03-2005 20:05, Andreas Schuldei wrote:
> > On Sat, Mar 05, 2005 at 12:38:13PM +0100, Petter Reinholdtsen wrote:
> > 
> >>Is it
> >>possible to adjust the current LDAP configuration to grant password
> >>change access to a group of LDAP users?  I would like to grant such
> >>access to all users in the teacher group.
> 
> > Since i became aware of the ongoing discussion i consulted again
> > with some openldap deities and was told that even they did not
> > know the answer to this problem. 
> 
> Does that mean that there's a third approach (in addition to using
> experimental software and changing LDAP structure): "Wait until someone
> figures out a clever filter expression"?

there is an third option that one deity suggested as an option:
slapd-meta. i have not yet understood how we could use it to
solve our problem, though, but it seems to be possible to create
subsets and preselections. 

regarding your question about the clever filter expression: no,
we dont wait for someone to come up with the super regex but
rather with a creative way that no one thought of yet to (ab)use
some features. 

> > Research is ongoing. There are ACIs which could perhaps solve the
> > problem. http://www.openldap.org/faq/data/cache/634.html
> > 
> > ACIs are still experimental and not enabled in the debian
> > packages, because their interface is about to change. we could
> > compile our own openldap packages, see if we wont run into libary
> > compatibility problems and if not deal with the changing
> > interface at a later point in time.
> 
> Does "experimental" only mean "their interface is about to change" or also
> "it is not tested much and may turn out to work unreliably"?

ACIs are in wide use and seem to be stable, even in production.

> >>I suspect this is
> >>impossible without changing the structure of the LDAP tree, and we do
> >>not want to do that as it would make the existing installations
> >>incompatible.
> > 
> > 
> > Alternatively to the present ldap structure we could express the
> > membership in authority groups by placing students in
> > ou=Students,ou=People,..., teachers in ou=Teachers,ou=People,
> > etc. 
> 
> Do I understand it correctly that this approach is actually to make the
> role be the location in the LDAP tree? 

yes.

> Isn't it likely to have students becoming part time teachers,
> teachers that are also administrators, and even students that
> are (junior) admins?

yes. This has happend before. That makes this solution suck in
its own special way.

Reply to:

Follow-Ups:
- Re: Adding delegation of authority to the current LDAP structure?
  - From: andreas@schuldei.org (Andreas Schuldei)

References:
- Adding delegation of authority to the current LDAP structure?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Adding delegation of authority to the current LDAP structure?
  - From: andreas@schuldei.org (Andreas Schuldei)
- Re: Adding delegation of authority to the current LDAP structure?
  - From: Jonas Smedegaard <dr@jones.dk>

Prev by Date: Re: Adding delegation of authority to the current LDAP structure?
Next by Date: Re: Adding delegation of authority to the current LDAP structure?
Previous by thread: Re: Adding delegation of authority to the current LDAP structure?
Next by thread: Re: Adding delegation of authority to the current LDAP structure?
Index(es):
- Date
- Thread