On the topic of Tree DN as groups - evil or not - : My application does not depend on the DN of the person which is logged in. Instead it just depends on application roles. BUT: I have implemented some of the application roles by using LDAP roles inherited in the tree and some by LDAP groups. The LDAP adapter (JNDIRealm from Tomcat) unifies group membership and attribute values to application roles. So I save administrative work with roles. If an application role is identitical to some struture in the DIT I save administrative work by using LDAP roles. If the application role is orthogonal to the structure of the DIT or I have exceptions I have to use static groups. If in the future I cannot go on with LDAP roles I can change to LDAP groups without changing the application. If I don't use the tree structure in the DIT at all, it'll come through the back door where I need dozends of groups which mimic the trees in the end like company_a_user company_a_departement_b_user company_a_department_b_subdivsion_c_user and that's not really better. Or how do you organize your groups? A subtree is a topological group. It was meant so in the beginning in X.500. If implementations don't support changes of that topology it's not an argument against the concept. I guess the problem lies deeper. If the use of (all sophisticated) LDAP functions is to complicated to application developers, the development plattforms need an LDAP adapter which abstracts users and roles. It's like an object/relational mapping to escape from doing SQL/JDBC by hand for every SQL-dialect out there. Frerk Meyer EDEKA Aktiengesellschaft GB Datenverarbeitung Frerk Meyer CC Web Technologien New-York-Ring 6 22297 Hamburg Tel: 040/6377 - 3272 Fax: 040/6377 - 41268 mailto:frerk.meyer at edeka.de
