Ticket 208 - [RFE] Roles with explicit scoping in RHDS
Bug Description:
A limitation of the application using the role mechanism is that the scope of a role
is the subtree where the role is defined.
That means the role definitions are often mixed with the entries they are dealing with.
Usually configuration info are seperated from the data. This RFE aims to separate the
role definitions from the DIT subtree where are stored the entries
Fix Description:
This RFE introduces a new configuration attribute 'nsRoleScopeDN' in the role definition.
This attribute specifies the subtree where the role apply.
See http://directory.fedoraproject.org/wiki/Creation_of_an_explicit_scoping_for_the_roles_%28ticket_208%29
https://fedorahosted.org/389/ticket/208
Reviewed by: Noriko Hosoi (thanks Noriko !)
Platforms tested: Fedora 17
Flag Day: no
Doc impact: yes
A role definition (entry with Objectclass=nsRoleDefinition), may contain an optional single valued attribute
'nsRoleScopeDN'.
In that case, the role does not apply to the subtree where it is defined but to the subtree referred by 'nsRoleScopeDN'.
'nsRoleScopeDN' is a DN syntax attribute. To be taken into account, its value must be a subtree under the suffix
where the role is defined.
If not present or with invalid value, the role will apply to the subtree where it is defined.