jclowser at unitedmessaging.com wrote: > Sorry for rambling on for so long over so many messages about all this > :-) No, this is good stuff. I'd be nice to finally nail this. Only been working on it for 8 years ;) Now, when roles (and to an extent cos) were originally conceived, one thing I did was ask "if I were an application writer and I wanted to use the DS to decide to allow or not allow someone to do something, how would I want to do that ?". To be honest, I never thought the answer would be "I'd like to test to see if the entry is a member of a static group". I was thinking more of trying to keep the application logic very simple (and also assuming that there weren't many applications that existed in the wild that I needed to worry about being compatible with). Instead, the idea I had was to require that the application instead simply read attribute(s) on the user's entry, and do what it needs to do based on their values. For example the VPN app would read an attribute called 'allowVPNAccess', and if it had the value 'true', then it would allow the user access. Everything else kind of followed from that original concept. I guess also the problem I was trying to solve was that to a first approximation no applications had decent LDAP support at that time (not even Netscape applications). So a feature that made the implementation hurdle for the app developer to add LDAP support lower seemed like a good idea. Perhaps that was a mistake. Anyway, just to give you some insight into how this stuff came into being.
