Thanks, that was an interesting analysis.
Instead some kind of LDAP-Proxy-Super-Adapter comes to my mind: it would
use and understand all those variations of groups and present them to an
application
as being a classical static group. It would be very configurable in every
aspect.
I believe this is what was called the 'policy server'.
Problem is that AFAIK nobody has built a generally useful one.
Otherwise I'm afraid to much of application logic moves into the directory
server like PL/SQL only for LDAP.
True. There are two (valid) reasons for stored procedures: 1) ensure
data integrity
2) performance. Both these apply to the LDAP DS scenario too.
So it's a two-sided thing : offload too much to an intermediary LDAP
client and performance will suffer, plus applications that do not use
the intermediary now have the problem of maintaining consistency with it.
The doomsday scenario of a full-blown policy language inside the DS
is certainly scary. All the proposals being discussed here are very simple
by comparison (and sometimes too simple of course).
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
