From what I remember, that vpn server searched for the users dn in
uniquemember to find a template entry, and the above is what it is
expecting to find. How would I set up Roles and CoS entries that
would work without changing the app (is that possible)? Can I set up
Roles/CoS that would populate the uniquemember attribute of the
vpntemplate entry? Is that searchable (if I remember correctly, early
versions of CoS didn't allow you to search on cos populated
attributes, later versions might have, and I'm not sure where in that
line FDS is).
Yeah, I don't know about this. I was more interested in the semantics of the
checkpoint application behavior, which I think are easily implemented with
role-based cos (the end result is that the user entry has the necessary vpn
cruft on it directly, with no need to indirect to the template entry at
the client end).
If an existing application can be made to simply fetch its per-user
parameters
from attributes on the user's entry , then roles/cos will work fine.
I have no idea what proportion of deployed applications can do this,
but it seems simpler and easier than indirection via a group that acts as
a template entry. I would _hope_ that an application that supports the
fancy 'indirect via a group' thing, would also support the very simple
'read some attribute values from the user's entry' model too.
Whether or not that's a reasonable thing to hope for, I'm not sure
these days.
Just to be clear: I don't expect (nor require) that there are any
applications that 'support' roles. All the applications need to do
is to support regular ldap attributes on the user entries.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
