David Boreham wrote: > Are there really large numbers of applications deployed that > grok static groups ? I'd like to hear about them because I can't > remember ever seeing one. Mind you I don't get out much ;) Hmm - good question. I've been working with nsds since 1.0, and over that time, it comes up every so often, but I couldn't give you a big list of apps that exist now :) One simple realworld example I run into: - I want to create a group of people. Lets say I want this to be all people in the engineering department, which is determined by having the value "engineering" in the department attribute of their entry. - I want to use that group as a mail group in Sun JES (or Netscape) messaging server. I can create a groupofURLs style group that the Messaging server will use to determine members of the email list, based on an appropriate filter. As a dynamic group, it maintains itself (sort of - I guess it's more a matter of a client that knows how to interpret it). Messaging server also recognizes uniquemember values as members of the list, so if that were dynamically generated, it would work in place of groupOfUrls. - Further, I want to set up a webpage in Apache that only the engineering group can see. Apache doesn't deal with groupOfURL style lists, as far as I know, so this doesn't work. (groupOfURLS being ok for finding a list of members, but lousy for determining if a user is a (dynamic) member of it) Nsroles would probably work for apache, but I don't think JES/Netscape messaging supports nsroles as a means for defining mail groups - its not really appropriate for determining lists of users like this. Ignoring for the moment that JES messaging is pretty much tied to one ldap implementation (i.e. the Sun JES Directory server), I want to use the same group across apps, because I don't want to have to maintain 2 versions representing the same group information and possibly have them out of sync. Also, I want to be able to send email notices related to the engineering web page, targeted at those users that have access to it. I _could_ define the same LDAP URL in apache for access to the web page - i.e. ignore the group and just use the same or similar LDAP URL that I used in the mail list for apache .htaccess files. But... if I later change the group filter in LDAP - say I make the filter (|(department=engineering users)(department=engineering staff)), if I don't remember to go back and change things in apache everywhere it's defined, I loose consistency. Maybe the best solution would be to create a single ldap entry that is groupOfUrls, inetMailgroup (JES mail list), and a dynamic nsrole group, so that one entry defines the same list of users in multiple ways that each app can find. At least having this all together means that if I change my filter, I will see all the filters/methods in one place, so in my above example I won't have to go find all my apache .htaccess files. One last thing to keep in mind - nsroles and groupOfUrls is a netscape/sun/fds schema extension. If I want to keep an app portable, so that I can drop in openldap, FDS, AD, etc without having to go back and change all my apps, nsroles and groupOfURL's don't work - is there a way that is consistent across ldap implementations? With a "dynamic" groupOfUniqueNames, this would be portable, though on other ldap implementations, my list may have to become static if the replacement ldap implementation can't generate it on the fly. I guess what I am really lookig for is a standardized way to define a dynamic group that works consistently across applications (and is "portable" across ldap implementations). groupOfUniqueNames fits this for static groups, but there is nothing that fits this for dynamic groups. Does that make sense? Any ideas on solutions, or am I asking too much? :) Anyway, sorry for beating this horse to death... - Jeff