Pete Rowley wrote, On 09/28/2007 12:17 AM:OK. It seems like this would be useful even for management client thats don't fully understand all grouping mechanics.
Jaimon Jose wrote:
Pete Rowley wrote, On 09/27/2007 02:43 AM:What purpose would this have in a member entry?
I think the memberOf (or isMemberOf) attribute should be regarded asI think there should be a way to read direct membership and membership
authoritative as to membership - that is, if the server recognizes a
particular class as a group then it should should include the DNs of
those entries it considers to be the set of members in the value set -
this is so that clients can free themselves from deep knowledge of
grouping mechanics. For group types that can be nested this would also
include derived membership, but I believe that is a matter between the
group types specification document and the implementation.
through nested group hierarchy.
This is from an administrative perspective. Our experience in implementing dynamic groups and nested groups (yet to be released eDirectory 8.8.2) in eDirectory is that, Administrators always wanted to know how an entry becomes member of a group. They also wanted to know the direct(static) members of a group and members through nested or dynamic relationship. This is because, the hierarchy can be pretty complex in a deeply nested scenario and administrators will not know who gets rights when they make a group as a trustee of an object.
I prefer more attributes to controls (they are generally more universally compatible), but I wonder if there isn't a case here for using a control that allows the client to follow the chain of membership i.e. ask the question of any group entry "how does this group come to call this member a member?", the answer for which is either it doesn't, by direct inclusion, or through this list of DN's of other group entries (and perhaps a combination of the last two).
Clients need not know about this when they just read "member" attribute. The server implementation should be such that, unless the request accompany a control or extension, the result set should contain direct members and members of the groupMember (member DN of type group - nested or dynamic) .
-- Pete
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext