> I think that you've (re)-invented 'filtered roles'. > > They've been supported in the server since 1999 or so. > > Your second point above I believe is covered by nested roles. > > Roles (deliberately) don't use the same schema as static groups, > so the same problem you mentioned that apps don't support them > applies still. They use the 'nsRole' attribute. Yeah - but my point was that I want something that _does_ work with existing apps that know nothing about the Netscape/Sun extensions like nsRoles and memberURL - i.e. that could look up a "standard" groupofuniquenames groups and see things in the uniquemember attribute, without having to look at something else (i.e. nsRole). That has always been the problem with using these extensions. So what I am asking for _is_ different than the filtered roles, I think. :) - Jeff
