> From what I remember, that vpn server searched for the users dn in > uniquemember to find a template entry, and the above is what it is > expecting to find. How would I set up Roles and CoS entries that > would work without changing the app (is that possible)? Can I set up > Roles/CoS that would populate the uniquemember attribute of the > vpntemplate entry? Is that searchable (if I remember correctly, early > versions of CoS didn't allow you to search on cos populated > attributes, later versions might have, and I'm not sure where in that > line FDS is). Yeah, I don't know about this. I was more interested in the semantics of the checkpoint application behavior, which I think are easily implemented with role-based cos (the end result is that the user entry has the necessary vpn cruft on it directly, with no need to indirect to the template entry at the client end). If an existing application can be made to simply fetch its per-user parameters from attributes on the user's entry , then roles/cos will work fine. I have no idea what proportion of deployed applications can do this, but it seems simpler and easier than indirection via a group that acts as a template entry. I would _hope_ that an application that supports the fancy 'indirect via a group' thing, would also support the very simple 'read some attribute values from the user's entry' model too. Whether or not that's a reasonable thing to hope for, I'm not sure these days. Just to be clear: I don't expect (nor require) that there are any applications that 'support' roles. All the applications need to do is to support regular ldap attributes on the user entries.
