directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: memberOf Algorithm
Date Sat, 17 May 2008 13:38:52 GMT
Fu-Tung Cheng wrote:
> Hi,
>
> I was hoping someone could help me out with an ldap query.
>
> I am trying to implement the member of Algorithm
>
> http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm#_memberOf_Algorithm
>
> but I am not sure how to get all memberships for a particular user.
>
> My ds tree looks like this:
>
> organization
> project1 project2
> read, write (per project)
>
> then with the unique members in each of read, write
>
> so I guess what i need to do is a 2 part query where I get all projects where a user
has permissions and then a 2nd query where i get all permission the user has on a project.
>
> Is this a sane way to model the directory structure and permissions?   What would my
query look like for all projects where the user is a uniquemember of a permission?  
>
> the user would be a person object that is a unique member of the project1 write group
and the project2 read group for instance.
>
> If there is a link for a tutorial on how to do this kind of thing that would be great
as well or a better place to post this kind of question.
>
> Or even a good dead-tree reference.
>   
Well, I think that RBAC describes the full picture, and you might be 
interested into looking at how it dal with such a problem : 
http://en.wikipedia.org/wiki/Role-Based_Access_Control

Your problem is just a small part of the picture, and you have to know 
that it's not a simple one.

Hope it helps.

-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message