jclowser@xxxxxxxxxxxxxxxxxxx wrote:
Sorry for rambling on for so long over so many messages about all this
:-)
No, this is good stuff. I'd be nice to finally nail this. Only been working
on it for 8 years ;)
Now, when roles (and to an extent cos) were originally conceived,
one thing I did was ask "if I were an application writer and I wanted
to use the DS to decide to allow or not allow someone to do something,
how would I want to do that ?". To be honest, I never thought the
answer would be "I'd like to test to see if the entry is a member of
a static group". I was thinking more of trying to keep the application
logic very simple (and also assuming that there weren't many applications
that existed in the wild that I needed to worry about being compatible
with).
Instead, the idea I had was to require that the application instead simply
read attribute(s) on the user's entry, and do what it needs to do based on
their values. For example the VPN app would read an attribute called
'allowVPNAccess', and if it had the value 'true', then it would allow
the user
access.
Everything else kind of followed from that original concept.
I guess also the problem I was trying to solve was that to
a first approximation no applications had decent LDAP support
at that time (not even Netscape applications).
So a feature that made the implementation hurdle for the app
developer to add LDAP support lower seemed like a good idea.
Perhaps that was a mistake. Anyway, just to give you some insight
into how this stuff came into being.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
