Group inheritance and Indirect group membership

[nitnelave]

More of a nice-to-have, I don't expect many users to have a very complex group membership structure that requires that.

We can make a group inherit from another one, or be a subgroup of another one: if group A has subgroup B, then users in B are indirectly part of group A.

To avoid making too many requests for reading (common case), we can keep a "resloved" membership table that contains both direct and indirect memberships. This can be updated when adding a user to a group, and can be reset when deleting a user or a group.

Another way to do it is to have just the resolved group inheritance, not the full user one; then a user is part of group A if:

• They are explicitly a member of A.
• They are explicitly a member of a group that resolves to inherit from A.
  That's achievable with a single query, with a join.
  This would only require updates/rebuilding when adding/deleting groups/group inheritance.

[nitnelave]

https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN

[nitnelave]

Design for the feature, feel free to comment on it: https://docs.google.com/document/d/1xkUFGdjfbTI5rC_sh1QIRET6njsK3Ci2ueGAWO-FJY4/edit?usp=drivesdk

[lordratner]

1000% want this feature. It's really the only thing I think is truly "missing" from LLDAP.

[jacobw]

Link has changed:
https://ldapwiki.com/wiki/Wiki.jsp?page=LDAP_MATCHING_RULE_IN_CHAIN

[lordratner]

Is this on the radar still? Just wondering for planning purposes.

[nitnelave]

Yes, it is. However, expect development to be slow in the next few months (like it has been in the past few months) due to personal circumstances.

[lordratner]

Yes, it is. However, expect development to be slow in the next few months (like it has been in the past few months) due to personal circumstances.

No worries. LLDAP is the best game in town, thank you for what you've done already.