[Date Prev][Date Next] [Chronological] [Thread] [Top]


On Tue, 2004-08-17 at 15:07, Quanah Gibson-Mount wrote:
> This gets off into an interesting side-bar on group memberships in general 
> though, if one ponders things like automatic addition of "memberOf" 
> attributes to DN's when they are added to groups -- What do you do if the 
> DN doesn't exist in the DB as an entry, because it is being done in this 
> method.
> --Quanah

  Quanah raises another question for me -- given projects like
Shibboleth, and the use of other  hierarchical connections (such as LDAP
referals), does anyone on this list currently place DNs from other DITs
in local groups to manage authorization when authentication takes place
  For example, if I have a group named "Library Access" which
applications at the UConn library use for authorization, (is it | will
it be) common practice for me to add a DN from another school's LDAP
server to that group when I want to share access with other schools?  I
suppose this would work best with a fully interconnected Higher-Ed
Kerberos trust fabric, and a Higher-Ed root LDAP server.  Or, will
Shibboleth provide this functionality better?

Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part