Subject: Grouper Developers Forum
- From: Tom Barton <>
- To: Grouper Dev <>
- Subject: possible ldappc enhancement
- Date: Mon, 19 Feb 2007 14:52:06 -0600
In the agenda for next Wed's conference call I just sent out, I mentioned discussion of a possible enhancement to the way ldappc provisions signet permission objects. Here's a little background in advance.
Ldappc v1.0 supports two representations of a signet permission. One uses the prospective eduPermission object class to represent a permission object as one or more subordinate entries to the grantee's ldap entry. The other represents each permission object as one or more strings of form
where <prefix> is declared in the ldappc config file (eg, "urn:mace:example.edu:permissions"), and the other substrings are properties of the permission object being provisioned.
Neither approach enables ldappc to maintain an implementation-defined attribute value for (selected) permissions. Eg, express a permission as "eduPersonEntitlement: urn:mace:dir:entitlement:common-lib-terms".
I propose to define a mapping capability in ldappc, perhaps using xsl, to determine the string representation of signet privilege objects. The default string representation would be as it is currently. There'd be a list of privilege selection criteria and associated declarations that are effectively eval'd to produce the non-default string representation of corresponding privilege objects.
At least that's my fodder for our discussion this Wed. See you there.
- possible ldappc enhancement, Tom Barton, 02/19/2007
Archive powered by MHonArc 2.6.16.