One small correction here :
using newly created nsUserAccountRole and nsUserAccountRoles ( Will be used
only to create filter role ) , i am creating filter roles only . This is
the confusion here , we should remember filter roles are nothing but
entries with o='something'. I am not touching any user here , but i am
creating roles and these roles are covering the users automatically a
Ludwig Krispenzs said earlier. example-
role=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
role.create(properties=user_props, basedn=SUFFIX)
In above example just created one filer role which will cover all users
having 'cn=*' in 'ou=People'. Here
'cn=tuser1,ou=People,dc=example,dc=com'
is nothing but a filter role which will cover all users having 'cn=*' in
'ou=People'.
Another example as given bellow:
dn: cn=FILTERROLEENGROLE,o=acivattr1,dc=example,dc=com
cn: FILTERROLEENGROLE
nsRoleFilter: cn=*
objectClass: top
objectClass: LDAPsubentry
objectClass: nsRoleDefinition
objectClass: nsComplexRoleDefinition
objectClass: nsFilteredRoleDefinition
This above entry is nothing but filter role entry , which will cover all
users in 'o=acivattr1' which has sub entries that begins with 'cn'. And
this is the property of filter role .
Yes , i must say that newly created nsUserAccountRole and
nsUserAccountRoles which i renamed to nsFilterAccountRole and
nsFilterAccountRoles will only cover filter role as you cant create Filter
role and other roles like Manage role all together . For my porting stuff
newly created nsFilterAccountRole and nsFilterAccountRoles is more than
enough because i need filter roles only .
Hope it clears all of your doubts.
Regards
Anuj Borah
On Fri, Jan 18, 2019 at 4:24 AM William Brown <wbrown(a)suse.de> wrote:
> On 17 Jan 2019, at 19:40, Ludwig Krispenz <lkrispen(a)redhat.com> wrote:
>
>
> Maybe I do not understand how it works because of some lib389 magic, but
I think this is not how roles work.
>
> You are creating cn=tuser1 and cn=Anju and they will have the role
objectclasses, but the benefit of roles is that you do NOT have to touch
the useres to assign roles to them. There is a class of users and a class
of role definitions and ONLY the change in the role definition will
determine if a user has a role or not.
I think lib389 probably isn’t helping, but Ludwig’s description here is
correct.
Maybe a good approach is to “setup” roles by hand, then once you have a
process in mind, then you can make the lib389 parts? I generally approach
things this way to understand them well.
Would that help?
—
Sincerely,
William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-devel mailing list -- 389-devel(a)lists.fedoraproject.org
To unsubscribe send an email to 389-devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproje...