Re: [Fedora-directory-users] Ideas for fds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

jclowser@xxxxxxxxxxxxxxxxxxx wrote:
One of those things I always had a love/hate relationship with in the Netscape/Sun directory server was dynamic lists.
Loved 'em because you could create email lists and aci groups that were self maintaining based on ldap filter criteria.
Hated 'em because no third party app's knew how to use them - most apps see groups as groupofmembers or groupofuniquemembers with a list of dn's in member/uniquemember.
It would be nice to have a dynamic group like Netscape's groupOfUrls (i.e. an ldap url defines members), but have the members returned to clients as uniquemembers of the group. In this way, you could create dynamic groups that are much more useful. 

For example, if I created:

cn: hr users
objectclass: top
objectclass: groupofuniquenames
objectclass; groupofurls
memberurl: ldap:///<basedn>??sub?(department=hr)
...
and did a search to retrieve it, the people that match the memberurl would be returned dynamically as uniquemember values. 

Issues I see with this:
1. Server load - if I have a lot of these groups and do a search that returns all groupofurl entries, it could take a lot of resources to generate that dynamically. 2. Assuming this is inherited from groupofuniquenames, what happens if I add static members to uniquemember? I would say return the merged list. How do we know if a value is static or dynamic, to do things like removing a static member? We don't, but this is similar to the issues using class of service where attributes are dynamically added. (Actually, would it be possible to implement this using class of service? Hmmm...) 

I think that you've (re)-invented 'filtered roles'.

They've been supported in the server since 1999 or so.

Your second point above I believe is covered by nested roles.

Roles (deliberately) don't use the same schema as static groups,
so the same problem you mentioned that apps don't support them
applies still. They use the 'nsRole' attribute.






--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux