Re: [ldapext] Nested group (was: groupOfEntries object class proposal)

[Michael Ströder <michael@stroeder.com>]

simo wrote:
> On Wed, 2007-09-19 at 19:01 +0100, Andrew Findlay wrote:
>> On Wed, Sep 19, 2007 at 01:07:13PM -0400, Liben, Michael (GTI) wrote:
>>
>>> This anticipates a reliable mechanism that ensures direct members
>>> are not added to the nestedGroups attribute and that nested groups are
>>> not inadvertently added to the member attribute.
>> I don't think there needs to be any server-side control on that. There
>> are many cases in LDAP where the protocol and schema allow the client
>> to do 'silly' things. If we try to tie things down too hard there is
>> no room for flexibility. A designer can choose to use ACLs or
>> structure definitions to apply some measure of control, or can rely on
>> 'business logic' in the update process to do so.
> 
> The problem is that you have a generic "DN" container that is given
> specific semanthics. IE nestedGroupObject is supposed to contain only
> entries that have groupOfEntries as its STRUCTURAL class, but you do not
> enforce it. So it may contain anything. Same for member.
> 
> This just means clients have to cope with bad entries.
> 
> I think that the problem is caused by artificial separation of members
> in 2 classes.

NACK. Looking at the constraint enforcing in some server implementations
I'd guess having two separate attributes makes it easier to define and
enforce such constraints.

Ciao, Michael.

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext