memberOf Algorithm

[Fu-Tung Cheng <fu...@yahoo.com>]

Hi,

I was hoping someone could help me out with an ldap query.

I am trying to implement the member of Algorithm

http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm#_memberOf_Algorithm

but I am not sure how to get all memberships for a particular user.

My ds tree looks like this:

organization
project1 project2
read, write (per project)

then with the unique members in each of read, write

so I guess what i need to do is a 2 part query where I get all projects where a user has permissions and then a 2nd query where i get all permission the user has on a project.

Is this a sane way to model the directory structure and permissions?   What would my query look like for all projects where the user is a uniquemember of a permission?  

the user would be a person object that is a unique member of the project1 write group and the project2 read group for instance.

If there is a link for a tutorial on how to do this kind of thing that would be great as well or a better place to post this kind of question.

Or even a good dead-tree reference.

Thanks again,

Fu-Tung







      



      

Re: memberOf Algorithm

[Emmanuel Lecharny <el...@apache.org>]

Fu-Tung Cheng wrote:
> Hi,
>
> I was hoping someone could help me out with an ldap query.
>
> I am trying to implement the member of Algorithm
>
> http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-best-practices-200210.htm#_memberOf_Algorithm
>
> but I am not sure how to get all memberships for a particular user.
>
> My ds tree looks like this:
>
> organization
> project1 project2
> read, write (per project)
>
> then with the unique members in each of read, write
>
> so I guess what i need to do is a 2 part query where I get all projects where a user has permissions and then a 2nd query where i get all permission the user has on a project.
>
> Is this a sane way to model the directory structure and permissions?   What would my query look like for all projects where the user is a uniquemember of a permission?  
>
> the user would be a person object that is a unique member of the project1 write group and the project2 read group for instance.
>
> If there is a link for a tutorial on how to do this kind of thing that would be great as well or a better place to post this kind of question.
>
> Or even a good dead-tree reference.
>   
Well, I think that RBAC describes the full picture, and you might be 
interested into looking at how it dal with such a problem : 
http://en.wikipedia.org/wiki/Role-Based_Access_Control

Your problem is just a small part of the picture, and you have to know 
that it's not a simple one.

Hope it helps.

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

RE: memberOf Algorithm

[Wim V <wi...@pizzastop.be>]

Hi Fu-Tung,

I cannot answer your question as I was about to post it myself, when I was
writing my own implemtation for these common operations using Spring ldap
and got stuck on the exact same thing. I'm not sure what your exact goal is,
but you might wanna take a look at the WSO2 WSAS User Manager (sub-)project.
It can be used on its own : http://wso2.org/projects/commons/user-manager

I have to admit I haven't tested this solution yet, but it looks promising.
I you decide to give it a try let me know how that works out pls.
Actually I'm quite curious to see if user-manager is going relieve me from
the (for me at least) painfull job of writing ldap queries for group
memberships.

Here's a quick peak :
org.wso2.usermanager.Authenticator		Authenticate users.
org.wso2.usermanager.AccessControlAdmin	Add/edit/delete Authorization on
users/roles/resources
org.wso2.usermanager.Authorizer		Can check for authorizations
org.wso2.usermanager.UserStoreAdmin		Add/edit/delete users.

Of course this still leaves me curious for an answer to your original
question :

What is, in terms of performance, the optimal query for obtaining the group
memberhips of a certain user in ApacheDS ?

Hope to have provided some usefull info though,

Wim Verreycken


-----Original Message-----
From: Fu-Tung Cheng [mailto:futung.cheng@yahoo.com] 
Sent: vrijdag 16 mei 2008 20:19
To: apacheds
Subject: memberOf Algorithm

Hi,

I was hoping someone could help me out with an ldap query.

I am trying to implement the member of Algorithm

http://middleware.internet2.edu/dir/groups/docs/internet2-mace-dir-groups-be
st-practices-200210.htm#_memberOf_Algorithm

but I am not sure how to get all memberships for a particular user.

My ds tree looks like this:

organization
project1 project2
read, write (per project)

then with the unique members in each of read, write

so I guess what i need to do is a 2 part query where I get all projects
where a user has permissions and then a 2nd query where i get all permission
the user has on a project.

Is this a sane way to model the directory structure and permissions?   What
would my query look like for all projects where the user is a uniquemember
of a permission?  

the user would be a person object that is a unique member of the project1
write group and the project2 read group for instance.

If there is a link for a tutorial on how to do this kind of thing that would
be great as well or a better place to post this kind of question.

Or even a good dead-tree reference.

Thanks again,

Fu-Tung