LDAP groups and LDAP roles: pro LDAP roles, but call them forward groups and use them The naming is a misfortune: nsrole = netscape roles First because they have their proprietary origin in the name. Second because most applications use LDAP groups to determine application roles, and LDAP roles are just another kind of group definition but no roles at all. They became roles by interpreting them in an application for authorization. In SQL/RDBMS only newbies make the mistake to try to represent a 1:n relation by storing all primary keys of B in a record of A. SQL records are not multivalued so this mistake does not happen that much. Everone learned to do it the other way around. But in LDAP this mistake is the standard for groups. And people adhere to it because it is the 'STANDARD'. Static LDAP roles do it like in every RDBMS, so it's right but non standard. I should become standard IMHO. OpenLDAP has no roles because it implements the standard. Netscape/Sun/FDS implement roles but nobody uses it because it is not the standard. But in MS-ADS - as I learned here - there is an attribute in every entry representing group memberships. So they set their own standard, as usual. If the OSS community doesn't start to use the roles feature, soon we will have to adhere to the MS standard and use ADS. Frerk Meyer EDEKA Aktiengesellschaft GB Datenverarbeitung Frerk Meyer CC Web Technologien New-York-Ring 6 22297 Hamburg Tel: 040/6377 - 3272 Fax: 040/6377 - 41268 mailto:frerk.meyer at edeka.de
