Jason Dusek wrote:
I'm curious about the intended permissions model for reverse group membership:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20MaintenanceConsider the case where a user should only have write access to their own attributes and a friends groups to which they can add their friends. The reverse group membership overlay is used to propogate `memberOf` of attributes to all the users that they add to their group of friends. We do it this way because 'denormalizations' of this kind are helpful for query efficiency.
For this application, it seems right for the overlay to propogate changes that a user does not have permission to execute themselves -- we don't have to let a user know who anybody else's friends are, for example; nor can they change that attribute.
If this can be added, it'd be great. If it's already possible, I'd appreciate it if it were part of the documentation.
It's possible and already documented in the man page (man slapo-memberof):
memberof-dn <dn> The value <dn> contains the DN that is used as modifiersName fo r internal modifications performed to update the reverse group membership. It defaults to the rootdn of the underlying database.