[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Nested group (was: groupOfEntries object class proposal)

To: "Liben, Michael (GTI)" <michael_liben@ml.com>
Subject: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Wed, 19 Sep 2007 19:01:27 +0100
Cc: LDAP Extensions list <ldapext@ietf.org>
Content-disposition: inline
In-reply-to: <DD9F4CC53AE89944A5C825781D5E3090044982@MLNYC727MB.amrs.win.ml.com>
References: <1190220132.31971.147.camel@localhost.localdomain> <DD9F4CC53AE89944A5C825781D5E3090044982@MLNYC727MB.amrs.win.ml.com>
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, Sep 19, 2007 at 01:07:13PM -0400, Liben, Michael (GTI) wrote:

> This anticipates a reliable mechanism that ensures direct members
> are not added to the nestedGroups attribute and that nested groups are
> not inadvertently added to the member attribute.

I don't think there needs to be any server-side control on that. There
are many cases in LDAP where the protocol and schema allow the client
to do 'silly' things. If we try to tie things down too hard there is
no room for flexibility. A designer can choose to use ACLs or
structure definitions to apply some measure of control, or can rely on
'business logic' in the update process to do so.

> How would the server respond if an object is included in both attributes?

OK, suppose we have a group A containing nestedGroup B and members B
and C.  B is itself a group containing members D and E.

If server-side nesting/expansion is *not* requested then there is no
issue: it is up the client to interpret the data (though it would be
good to define the algorithm so that client and server get the same
results!).

If server-side support *is* requested, then:

Group expansion of A results in a list of member attributes:
	B C D E

It so happens that one of those DNs is a group. The others could be
anything. I see no problem here.

Now, if C is added to group B as a member, the expansion will find C
twice. The server should suppress the duplicate.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>

References:
- Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: simo <idra@samba.org>
- RE: [ldapext] Nested group (was: groupOfEntries object class proposal)
  - From: "Liben, Michael \(GTI\)" <michael_liben@ml.com>

Prev by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Next by Date: Re: [ldapext] Nested group (was: groupOfEntries object class proposal)
Index(es):
- Chronological
- Thread