[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Summary of group discussion
Pete Rowley wrote, On 09/27/2007 02:43 AM:
> I think the memberOf (or isMemberOf) attribute should be regarded as
> authoritative as to membership - that is, if the server recognizes a
> particular class as a group then it should should include the DNs of
> those entries it considers to be the set of members in the value set -
> this is so that clients can free themselves from deep knowledge of
> grouping mechanics. For group types that can be nested this would also
> include derived membership, but I believe that is a matter between the
> group types specification document and the implementation.
I think there should be a way to read direct membership and membership
through nested group hierarchy. There is already a proposal to have a
control or extension to achieve this. This functionality will be
required for management consoles to efficiently display member DNs
(non-group) and member groups. At the same time, having a separate
attribute to hold member groups will be more convenient to implement
from both client and server perspective.
While I agree that loop detection while evaluating nested groups is a
server implementation detail, how about, duplicate value elimination.
Should the standard say anything about this?
--jaimon
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext