> From: "Clowser, Jeff (Contractor)" <jeff_clowser fanniemae com> > Date: Fri, 14 Sep 2007 14:58:53 -0400 > I have a question about capabilities in the Fedora/RH Directory server: > > First, can it do dynamic groups as Novell eDirectory does (or is there any > effort to add this): > http://support.novell.com/techcenter/articles/ana20020405.html Just fyi, the Novell guys have also published this spec as an Internet Draft. http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02 The spec is full of flaws, however, as discussed here: http://www.openldap.org/lists/ietf-ldapext/200702/threads.html If this approach to dynamic groups is of interest to you, you should probably get involved in the discussion and give some feedback. > Basically, it's similar to the groupofURL's that is supported by the RH/Sun > directory server, but when the group is retrieved, dn's for entries that > match the ldap url dynamic criteria is returned added to the uniquemember > attribute, and you can do searches/compares on the uniquemember attribute > that includes dynamic members. Note that uniqueMember is a useless attribute in LDAP. Likewise the NameAndOptionalUID syntax (which is the syntax of uniqueMember) is totally misused in LDAP and should be avoided by modern software. > I realise there are some significant performance considerations with this, > but for modest use, it would really be useful. (FWIW, I asked a similar > question when FDS first was released, but didn't have another product to > point to as a comparable implementation at the time. Haven't looked at FDS > for a while, so I'm hoping some things might have changed :) ) As a footnote, OpenLDAP supports some of the less controversial features of dynamic groups and has for quite some time already... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
