David Boreham wrote:
Are there really large numbers of applications deployed that
grok static groups ? I'd like to hear about them because I can't
remember ever seeing one. Mind you I don't get out much ;)
Hmm - good question. I've been working with nsds since 1.0, and over
that time, it comes up every so often, but I couldn't give you a big
list of apps that exist now :)
One simple realworld example I run into:
- I want to create a group of people. Lets say I want this to be all
people in the engineering department, which is determined by having the
value "engineering" in the department attribute of their entry.
- I want to use that group as a mail group in Sun JES (or Netscape)
messaging server. I can create a groupofURLs style group that the
Messaging server will use to determine members of the email list, based
on an appropriate filter. As a dynamic group, it maintains itself (sort
of - I guess it's more a matter of a client that knows how to interpret
it). Messaging server also recognizes uniquemember values as members of
the list, so if that were dynamically generated, it would work in place
of groupOfUrls.
- Further, I want to set up a webpage in Apache that only the
engineering group can see. Apache doesn't deal with groupOfURL style
lists, as far as I know, so this doesn't work. (groupOfURLS being ok for
finding a list of members, but lousy for determining if a user is a
(dynamic) member of it) Nsroles would probably work for apache, but I
don't think JES/Netscape messaging supports nsroles as a means for
defining mail groups - its not really appropriate for determining lists
of users like this.
Ignoring for the moment that JES messaging is pretty much tied to one
ldap implementation (i.e. the Sun JES Directory server), I want to use
the same group across apps, because I don't want to have to maintain 2
versions representing the same group information and possibly have them
out of sync. Also, I want to be able to send email notices related to
the engineering web page, targeted at those users that have access to
it. I _could_ define the same LDAP URL in apache for access to the web
page - i.e. ignore the group and just use the same or similar LDAP URL
that I used in the mail list for apache .htaccess files. But... if I
later change the group filter in LDAP - say I make the filter
(|(department=engineering users)(department=engineering staff)), if I
don't remember to go back and change things in apache everywhere it's
defined, I loose consistency.
Maybe the best solution would be to create a single ldap entry that is
groupOfUrls, inetMailgroup (JES mail list), and a dynamic nsrole group,
so that one entry defines the same list of users in multiple ways that
each app can find. At least having this all together means that if I
change my filter, I will see all the filters/methods in one place, so in
my above example I won't have to go find all my apache .htaccess files.
One last thing to keep in mind - nsroles and groupOfUrls is a
netscape/sun/fds schema extension. If I want to keep an app portable,
so that I can drop in openldap, FDS, AD, etc without having to go back
and change all my apps, nsroles and groupOfURL's don't work - is there a
way that is consistent across ldap implementations? With a "dynamic"
groupOfUniqueNames, this would be portable, though on other ldap
implementations, my list may have to become static if the replacement
ldap implementation can't generate it on the fly.
I guess what I am really lookig for is a standardized way to define a
dynamic group that works consistently across applications (and is
"portable" across ldap implementations). groupOfUniqueNames fits this
for static groups, but there is nothing that fits this for dynamic groups.
Does that make sense? Any ideas on solutions, or am I asking too much? :)
Anyway, sorry for beating this horse to death...
- Jeff
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
