grouper-dev - Re: [grouper-users] Ldappc and Grouper privileges
Subject: Grouper Developers Forum
List archive
- From: Arnaud Deman <>
- To:
- Cc: Tom Barton <>
- Subject: Re: [grouper-users] Ldappc and Grouper privileges
- Date: Wed, 07 Jan 2009 14:15:05 +0100
- Authentication-results: smtp03.msg.oleane.net; dkim=none (no signature) header.i=unknown; dkim-adsp=none
- Organization: GIP RECIA
Hi,
I come back with the question of ldappc and grouper privileges (started in the grouper-users list).
We have started to work on an extension of the ldappc schema for this.
Our approach was to extend the existing class and to keep the logic :
For each privilege there is one attribut for the dn and one attribute for the uid.
This is oly an starting point and there are already points which I'm not sure :
- To use the class eduMember instead of creating a new one,
- The oids to use for the attributes,
- The use of the DN syntax for the dn attributes, because of the comparison,
- The attribute displayName comes from the inetorgperson schema,
- I didn't put the update privilege, because I believe it is only usefull in Grouper (like the optin and optout privileges).
Thanks,
Arnaud.
Arnaud Deman a écrit :
Tom Barton a écrit :
Ok Tom, I'll do it when I start working on it.
I don't thik we will use this approach mainly for two reasons:
- The privileges mecanism of Grouper was one of our motivation in our choice of using Grouper and I would like to use it from all the access points of the groups.
- We will delegate the administration of some groups to the local administrators (who are teachers) and I don't want to complicate the groups management.
Good point.
I've created enhancement request <https://bugs.internet2.edu/jira/browse/MCO-22> to track this.
Hmm. Might you be interested to create one and put it on the list for comments?In addition, there would need to be an LDAP objectclass created that contains the appropriate attributes in which to list Subjects from those lists. Have you already created one?Not yet, because I wondered if there is standard class/attribute to do that. In fact this was my next question :-) .
Tom
Arnaud.
#
# *** Start eduMember ###
#
#
# An auxiliary object class, "eduMember," is a convenient container
# for an extensible set of attributes concerning group memberships.
# At this time, the only attributes specified as belonging to the
# object class are "isMemberOf" and "hasMember."
#
attributetype ( 1.3.6.1.4.1.5923.1.5.1.1
NAME 'isMemberOf'
DESC 'identifiers for groups to which containing entity belongs'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.2
NAME 'hasMember'
DESC 'identifiers for entities that are members of the group'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.3
NAME 'viewer'
DESC 'DN of entities that can view the group'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.4
NAME 'hasViewer'
DESC 'identifiers for entities that can view the group'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.5
NAME 'reader'
DESC 'DN of entities that can read the group'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.6
NAME 'hasReader'
DESC 'identifiers for entities that can read the group'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.7
NAME 'administrator'
DESC 'DN of entities that can administrate the group'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.8
NAME 'hasAdministrator'
DESC 'identifiers for entities that can administrate the group'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.9
NAME 'customType'
DESC 'Custom type of the group'
EQUALITY caseExactMatch
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.5923.1.5.1.10
NAME 'customTypeFieldOrList'
DESC 'Field or list associated to the custom type of the group'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectclass ( 1.3.6.1.4.1.5923.1.5.2.1
NAME 'eduMember'
AUXILIARY
MAY ( displayName $
isMemberOf $ hasMember $
viewer $ hasViewer $
reader $ hasReader $
administrator $ hasAdministrator $
customType $ customTypeFieldOrList
)
)
- Re: [grouper-users] Ldappc and Grouper privileges, Arnaud Deman, 01/07/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Tom Barton, 01/08/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Arnaud Deman, 01/08/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Tom Barton, 01/08/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Arnaud Deman, 01/12/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Tom Barton, 01/08/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Arnaud Deman, 01/08/2009
- Re: [grouper-dev] Re: [grouper-users] Ldappc and Grouper privileges, Tom Barton, 01/08/2009
Archive powered by MHonArc 2.6.16.