-
-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group inheritance and Indirect group membership #13
Comments
Design for the feature, feel free to comment on it: https://docs.google.com/document/d/1xkUFGdjfbTI5rC_sh1QIRET6njsK3Ci2ueGAWO-FJY4/edit?usp=drivesdk |
1000% want this feature. It's really the only thing I think is truly "missing" from LLDAP. |
Link has changed: |
Is this on the radar still? Just wondering for planning purposes. |
Yes, it is. However, expect development to be slow in the next few months (like it has been in the past few months) due to personal circumstances. |
No worries. LLDAP is the best game in town, thank you for what you've done already. |
More of a nice-to-have, I don't expect many users to have a very complex group membership structure that requires that.
We can make a group inherit from another one, or be a subgroup of another one: if group A has subgroup B, then users in B are indirectly part of group A.
To avoid making too many requests for reading (common case), we can keep a "resloved" membership table that contains both direct and indirect memberships. This can be updated when adding a user to a group, and can be reset when deleting a user or a group.
Another way to do it is to have just the resolved group inheritance, not the full user one; then a user is part of group A if:
That's achievable with a single query, with a join.
This would only require updates/rebuilding when adding/deleting groups/group inheritance.
The text was updated successfully, but these errors were encountered: