Thanks, that was an interesting analysis. >Instead some kind of LDAP-Proxy-Super-Adapter comes to my mind: it would >use and understand all those variations of groups and present them to an >application >as being a classical static group. It would be very configurable in every >aspect. I believe this is what was called the 'policy server'. Problem is that AFAIK nobody has built a generally useful one. >Otherwise I'm afraid to much of application logic moves into the directory >server like PL/SQL only for LDAP. > > True. There are two (valid) reasons for stored procedures: 1) ensure data integrity 2) performance. Both these apply to the LDAP DS scenario too. So it's a two-sided thing : offload too much to an intermediary LDAP client and performance will suffer, plus applications that do not use the intermediary now have the problem of maintaining consistency with it. The doomsday scenario of a full-blown policy language inside the DS is certainly scary. All the proposals being discussed here are very simple by comparison (and sometimes too simple of course).
