[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Summary of group discussion

To: jjaimon@novell.com
Subject: Re: [ldapext] Summary of group discussion
From: Pete Rowley <prowley@redhat.com>
Date: Fri, 28 Sep 2007 10:38:11 -0700
Cc: LDAP Extensions list <ldapext@ietf.org>, Andrew Findlay <andrew.findlay@skills-1st.co.uk>
In-reply-to: <46FCCD1E.1040602@novell.com>
References: <20070924194342.GA9926@tile.skills-1st.co.uk> <46FA65A4.6080700@novell.com> <46FACB77.1070307@redhat.com> <46FB70A6.1080900@novell.com> <46FBFADF.1050702@redhat.com> <46FCCD1E.1040602@novell.com>
User-agent: Thunderbird 1.5.0.9 (X11/20061215)

Jaimon Jose wrote:

Pete Rowley wrote, On 09/28/2007 12:17 AM:
Jaimon Jose wrote:
Pete Rowley wrote, On 09/27/2007 02:43 AM:
I think the memberOf (or isMemberOf) attribute should be regarded as authoritative as to membership - that is, if the server recognizes a particular class as a group then it should should include the DNs of those entries it considers to be the set of members in the value set - this is so that clients can free themselves from deep knowledge of grouping mechanics. For group types that can be nested this would also include derived membership, but I believe that is a matter between the group types specification document and the implementation.
I think there should be a way to read direct membership and membership through nested group hierarchy.
What purpose would this have in a member entry?
This is from an administrative perspective.  Our experience in
implementing dynamic groups and nested groups (yet to be released
eDirectory 8.8.2) in eDirectory is that, Administrators always wanted to
know how an entry becomes member of a group.  They also wanted to know
the direct(static) members of a group and members through nested or
dynamic relationship.  This is because, the hierarchy can be pretty
complex in a deeply nested scenario and administrators will not know who
 gets rights when they make a group as a trustee of an object.

OK. It seems like this would be useful even for management client thats don't fully understand all grouping mechanics.


Clients need not know about this when they just read "member" attribute.
 The server implementation should be such that, unless the request
accompany a control or extension, the result set should contain direct
members and members of the groupMember (member DN of type group - nested
or dynamic) .

I prefer more attributes to controls (they are generally more universally compatible), but I wonder if there isn't a case here for using a control that allows the client to follow the chain of membership i.e. ask the question of any group entry "how does this group come to call this member a member?", the answer for which is either it doesn't, by direct inclusion, or through this list of DN's of other group entries (and perhaps a combination of the last two).


--
Pete

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] Summary of group discussion
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: [ldapext] Summary of group discussion
  - From: Jaimon Jose <jjaimon@novell.com>
- Re: [ldapext] Summary of group discussion
  - From: Pete Rowley <prowley@redhat.com>
- Re: [ldapext] Summary of group discussion
  - From: Jaimon Jose <jjaimon@novell.com>
- Re: [ldapext] Summary of group discussion
  - From: Pete Rowley <prowley@redhat.com>
- Re: [ldapext] Summary of group discussion
  - From: Jaimon Jose <jjaimon@novell.com>

Prev by Date: Re: [ldapext] Summary of group discussion
Next by Date: Re: [ldapext] Summary of group discussion
Index(es):
- Chronological
- Thread