ns* attribute names: Yes, it is a good habit to mark proprietary attributes. The trouble is to change the name afterwards is cumbersome. Every application which does not make the role attribute name configurable has to be changed and compiled again. Nevertheless ist would we right thing to do. Since it is a virtual attribute anyway the LDAP server may for some time generate two attributes with name nsrole and ldapRole or something, documenting nsrole as deprecated. Roles for authorization in LDAP: Yes, I admit it: I wanted to mention ACIs as an example of using nsrole for authorization but for the sake of simplicity I deleted what I had written because in ACIs you may use group membership to and mix both. So the names are misleading anyways: You may use roles for group definition and groups for authorization via ACIs as well. Java-LDAP Interface: too simple, too narrow In fact I was really surprised how bad the interface of the Sun Java App Server 7 to the Sun Directory Server 5.x is: Suns App Server JNDIRealm isn't able to use nsroles but Tomcat 5.x is able to do it (I havent't looked at AppServer 8). Both are very limited since they cannot use ACIs to define Java security. They even cannot lookup the roles after authenticaton, so changes are ignored. I wrote my own security realm so java applications can use ACIs to dynamically define authorization. But it is not integrated with the J2EE Security Manager, my Java knowledge isn't enough and maybe it isn't possible at all. Frerk Meyer EDEKA Aktiengesellschaft GB Datenverarbeitung Frerk Meyer CC Web Technologien New-York-Ring 6 22297 Hamburg Tel: 040/6377 - 3272 Fax: 040/6377 - 41268 mailto:frerk.meyer at edeka.de
