[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Summary of group discussion

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: [ldapext] Summary of group discussion
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 24 Sep 2007 19:01:53 -0700
Cc: LDAP Extensions list <ldapext@ietf.org>
In-reply-to: <20070924194342.GA9926@tile.skills-1st.co.uk>
References: <20070924194342.GA9926@tile.skills-1st.co.uk>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007091708 SeaMonkey/2.0a1pre

Andrew Findlay wrote:

It seems to me that we now have these threads of development:

1)	A new structural group class that can represent empty groups.
	This could go forward with the existing ambiguous member
	attribute or it could become the basis of a group
	representation with more carefully defined semantics using
	directMember.

2)	A new auxiliary class and one or more attributes to represent
	groups that may contain other groups. For this to make much
	sense it would require the well-defined version of (1).
	
	In (1) and (2) I see the definitions of the attributes being
	the key, and would avoid requiring the use of the object
	classes to obtain the defined semantics.

I think you should avoid dwelling on this last point. It just confuses the issue. It seems certain that we're defining new attributes, and therefore at least a new objectclass is needed to make use of them. Also the notion of placing all the semantics solely in the attribute begs the question "is a group with no members no longer a group?" (Yes, it's a silly question, but it can be easily avoided by not focusing too much on the attribute.)

3)	A new control or extended operation so that a client can ask
	the server to do the heavy lifting involved with nested
	groups.

4)	A new server-maintained attribute called memberOf to give an
	alternative way for clients to ask for membership information.
	AD already has such an attribute, and Pierangelo Masarati
	recently proposed one for OpenLDAP so there may be useful
	existing work to build on.


Pierangelo's code is already released in OpenLDAP 2.4.5.

5)	A document explaining why groupOfUniqueNames,
	uniqueMember and nameAndOptionalUID are bad, possibly leading
	to them being deprecated in the next revision of the core LDAP
	standards.


I'll write this up.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Summary of group discussion
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Re: [ldapext] Summary of group discussion
  - From: Gavin Henry <ghenry@suretecsystems.com>

References:
- [ldapext] Summary of group discussion
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: [ldapext] Nested group
Next by Date: [ldapext] X.509, RFC4523, RFC3641, big Ints
Index(es):
- Chronological
- Thread