That would be great for netgroups, that would solve one of the big
drawbacks of netgroups in LDAP, being able to quickly query and see
who has access to what system. Otherwise you need the client
application to figure it out.
2008/6/19 Nathan Kinder <nkinder(a)redhat.com>:
Edward Capriolo wrote:
> If you take a look at openldap it has dyamic 'overlays' .
> The main jist of it is that an LDAP Query can be saved in an object.
> This is similar in my mind to an SQL View.
> So nss_ldap would referece a dynamic_overlay like object and that
> would re-search for the actual content to be returned to the user
> Having the object work in this read-only sense would make it less
> complicated then
and still fit
> the need nicely.
The overlay approach is less complicated, but it doesn't appear to deal with
The complexity of the memberOf plug-in is due to this support for nested
groups. The approach of having to do multiple searches to resolve a user's
nested memberships every time you just want to find out what groups you
belong to would have a negative performance impact for reads over generating
the memberOf attribute values when an actual membership modification is
made. The assumption is that membership checks occur more often than
membership changes, so performing all of the work up front when the modify
takes place is best.
> It would me more generic then memberOf and I can see a lot of uses for
> it. Maybe another such plug in exists that I am not aware of.
The plans for the memberOf plug-in is to make it more generic. The current
code in CVS allows the attributes it acts on to be configurable. Other
changes would need to be made to the plug-in allow it to truly be a general
purpose linked attribute plug-in. In particular, the ability to turn off
the nesting capability, configure multiple linked attributes, and define
which suffix(es) to operate on would be very useful.
> 2008/6/19 Richard Megginson <rmeggins(a)redhat.com>:
>> Grzegorz Marszałek wrote:
>>> I'm newbie to Fedora Directory, but is has two significant features -
>>> and nested roles.
>>> But I could find a way to use roles as groups. That is - I'd like to
>>> define role, and then use this to define posix group, which I can use
>>> nss_ldap on my servers. At first glance it seems that dynamic groups
>>> will do
>>> what I want - I just defined filter to include all users with particular
>>> role in group. But unfortunately dynamic groups aren't resolved by
>>> you need client aplication to do that :(
>>> So the question is: is there any way to do this without writing my own
>>> slapi plugin?
>> No, not currently. But several other users have expressed an interest in
>> feature like this. There is another new feature related to this concept
>> that is currently in Fedora DS and being improved for the next version -
>> Would you be able to create a wiki page to explain your requirements for
>> such a feature? That would be a very good place to start designing this
>>> Grzegorz Marszałek
>>> Fedora-directory-users mailing list
>> Fedora-directory-users mailing list
> Fedora-directory-users mailing list
Fedora-directory-users mailing list