[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dynamic Groups



Well, I haven't read through Jeff's reference in its entirety so the
answer may
be contained therein.  What I got from google before I posted this
request is
that you essentially use attributes to define the various 'groupings'
and then
use a search filter contained in an LDAP URL to find all entries that
have that
attribute thereby deriving the contents of the 'group'.   Since the
attribute
is local to the individual entry, and potentially it was valued and is
maintained by an automated process, the addition or removal of that
entry's
'group' attribute seems to provide its dynamic status.

So my question now morphs into many.  Do I understand dynamic groupings
correctly?  If so is the concept a standard, a proposed standard, or a
proprietary idea implemented by a few vendors?  Won't LDAP eventually
run into
a hard limitation, or a performance limitation, using attribute based
'dynamic
groups' as I described above due to the large number of attributes that
could
potentially end up in a single entry?  The direction I'm heading in here
is the
possibility of using dynamic groups as a form of role based access
control.

Tod

Quanah Gibson-Mount wrote:

> --On Wednesday, May 28, 2003 10:24 AM -0700 Jeff Costlow <j.costlow@f5.com>
> wrote:
>
> > I don't know what iPlanet is doing, but this document has some good
> > stuff in it.
> > http://middleware.internet2.edu/dir/groups/draft-internet2-mace-dir-grou
> > ps-best-practices-01.html
>
> Interestingly enough, I wrote a note to OpenLDAP-software just a few days
> ago myself asking if it is possible to use dynamic groups in OpenLDAP-2.1.
> I've gotten 0 responses saying anything either way.  I'm not convinced you
> can't, but I'm not convinced you can, either.
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html