David Boreham wrote: > This is an interesting one, because applications like apache were the > target for roles/cos. Do you know what Apache does support for > detemining page access via LDAP ? Roles should work for apache. Out of habit, I've used apache/auth_ldap as follows, to limit users to a group (from an htaccess file): AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*) require group cn=Administrators, o=Airius In this case, if memory serves, this will look up the user by uid to get their dn and auth them, then will check to see if their dn is in the uniquemember attribute of the group to see if they can see whatever is protected. I think (have not tested this), I could use roles instead by doing: AuthLDAPURL ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(nsRole=<dn of the role>) require valid-user Or something like that. So, instead of saying "auth the user and see if they are in a group, and if so they are allowed", we are saying "auth any users, but only if they match this filter, and if they do, they are allowed". The roles method actually uses half the searches, so is more efficient, admittedly :) But, apache (auth_ldap) is nice enough to allow you to define the filters. Netscape Enterprise/Fastrack web server only did groups one way - it looked at static members in the uniquemember attribute. Part of why I always used Apache instead. (ok, so admittedly that's a _really_ old example, and may not even apply to whatever state that server is in at Sun these days... :) ) The problems I've run into is that I want to create a group that: 1. Represents some some subset of users (obviously) 2. Is dynamically generated (otherwise I'd use groupOfUniqueNames and be done). 3. Can be used for multiple applications. For example: a. As an auth group for apache .htaccess files b. Can be used as an email list for messaging servers. c. aci groups in ldap (for example, I want this group of people to be able to edit certain fields in ldap). d. defines a vpn template (I think checkpoint firewall 1 extends a groupofuniquenames group to include vpn template attributes to determine who can access what services). (e. probably other things but can't think of 'em now :) ) Anyway, the point is that one group may be used by multiple things and represent different functions that group of users can do across different services (Example: members of the HR group can log into a web page that allows you to change users contact info (apache auth), gets email notices related to this web page (mail server list), and has rights in LDAP to actually make these changes (LDAP acis). Further, I only allow HR users access to the server this runs on via a VPN). 4. Is portable across ldap server implementations (otherwise, why use a standard like LDAP?) So I guess I see a group as doing 2 things, primarily: Allowing me to determine all the members of the group (i.e. for things like email lists), and to determine if someone is a member of a particular group (i.e. I can do/access X if I'm part of group Y). The difference is whether my searches return a list and I do something involving all the members of it, or if I just want to return what lists I am a member of. Speaking to portability across LDAP server implementations: 1. There is nothing "special" about groupOfURLs, since the client has to read memberURL and process that to get the list (and hope it doesn't run into resource limits). So, one caveat here is that the "dynamic" group part is implemented on the client, so is really more of a schema thing vs server coding (ignoring for the moment the server's use of it in acis). It also has not really been widely adopted as a group mechanism (only by Sun/Netscape/iPlanet/etc, as far as I know). 2. roles are "special", in that FDS can generate them. However, I _can_ add the schema to most ldap implementations and statically maintain the nsrole attribute (which is close enough to portable to me - i.e. if I go from FDS to OpenLDAP for whatever reason, I loose the ability to have this populated dynamically, but I can still manually populate it and use it without changing all my applications). I suppose a Role could be extended and used for email lists just as easily as groupOfUrls is, now that I think about it, since the mail server would have to do almost the exact same work to find members (and face the same resource limits). But... I can't change servers like Netscape/Sun JES messaging to support this. If I ported this to Openldap, the problem would become cleaning up these statically created groups (even with static roles, I can use referential integrity on FDS to clean 'em up), but that's just a cron script :) 3. groupofUnique names is "standard" so is in there for every ldap server I've seen (even AD), so is definately portable, but is not as useful because it's not dynamic. 4. Admittedly, aci's should probably be out of scope for this idea - since ldap access control is not portable, how you define a group to support it being portable is probably not so important :) I guess what it really comes down to is trying to find a way to implement dynamic groups that is transparent to applications that don't know how to use them. Maybe part of it is that I've been doing this for so long (since Netscape dir server 1.0 and the original U of Mich stuff), I have some old habits I need to unlearn :) Sorry for rambling on for so long over so many messages about all this :-) - Jeff