> One of the drawbacks of groups is that they do not apply to the
> sub-tree - makes it difficult in general to replicate them.
> Roles/CoS are scoped along with the data they apply to, so they
> go along with replication quite easily.
>
> Yep.You're talking about the drawbacks concerning the difficulty of the
> code development. But for us the sub-tree application that was an essential
> limitation of Roles - we couldn't use it to make the same thing as memberof,
> that's why i was looking forward eagerly for the memberof plugin...
>
Do you want to do something like this
dc=example,dc=com
+ou=people
+ou=roles
++cn=my role
And have cn=my role be a role that applies to users under ou=people? e.g.
by adding a roleSubtree: ou=people,dc=example,dc=com to the role definition?
Yes. An attribute like that is already a good step forward that would permit
to organise the roles in the way that is independent of the sub-trees to
which they are applied.
For example, automatic generation of a virtual attribute describing the
location (or type) of the person by applying regex to his/her
telephoneNumber (first n digits). But then again you are right about
indexing and filters with these attributes... Another example: in our
production environment we have a "ou" attribute containing the DNs of the
units where the person belongs. It would be nice to convert it automatically
to an attribute "displayOu" with slashes instead of ",ou=":
ou: ou=lpp,ou=lab,ou=dgar,ou=dg,ou=organisation,dc=example,dc=com
displayOu: LPP/LAB/DGAR/DG
Today we are using scripts. This type of attribute conversion can easily be
made inside an application if you write it internally, otherwise one needs
to add this type of "converted" attributes...
Ok. So something like CoS, but with a couple of additional attributes:
cosDestinationAttribute - grab the value from cosAttribute, but write
to
this attribute instead
cosRegex - apply this regex to the value e.g.
cosAttribute: ou
cosDestinationAttribute: displayOu
cosRegex: s|ou=(\S)+,ou=(\S)+,ou=(\S+),ou=(\S+)|\1/\2/\3/\4/|
Yes, something like that.
It would be difficult to create indexes on these (e.g. if you wanted to do
searches like (displayOu=LPP/*)
Exactly. That why i have told that it is not a high-order priority for us
but it would be a nice feature in one of the future versions...
Something like that would be useful for posix homeDirectory too
cosAttribute: uid
cosDestinationAttribute: homeDirectory
cosRegex: s,(.+),/home/\1,
yes, in our production environment we often need attributes that are
generated automatically from other ones...
Thank you for taking your time to understand our needs and to formalize the
requests! :)