Re: [ldapext] Dynamic group draft

[Jaimon Jose <jjaimon@novell.com>]

Howard,
thanks for the comments.  I couldn't locate any documents on openldap
implementation of dynamic group.  Appreciate if you can forward any
reference to this.

Howard Chu wrote:
> Why did you feel it was necessary to define a new "memberQueryURL"
> attribute that is essentially identical in meaning to memberURL?
One reason is the extensibility of the attribute value.  As I remember,
memberURL can only contain a base, scope and the search filter.  The
searches are limited to the same LDAP server.  memberQueryURL attribute
can contain an additional x-chain extension.  LDAP server will chain the
request in a distributed environment if this extension is present. 
> There are some obvious errors in this document, you list the
> uniqueMember attribute with OID 2.5.4.32 inheriting from
> distinguishedName, but 2.5.4.32 is actually the owner attribute.
> uniqueMember is 2.5.4.50 and cannot inherit from distinguishedName
> since it is of NameAndOptionalUUID syntax, not distinguishedName syntax.
Thanks for pointing this out.  I will correct them.
> There's a lack of symmetry here - "excludedMember" is used for both
> member and uniqueMember but it shouldn't be since the two syntaxes are
> not the same. You need an excludedUniqueMember attribute to provide
> the relevant functionality.
excludedMember is a list of DNs that need to be excluded from the
returned result set.  This disparity was caused because the original
implementation returned both dynamic and static member list as
"member".  However, do you really see a need for two attributes?

Thanks
--jaimon


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext