RE: [Fedora-directory-users] Ideas for fds - roles / forward groups[Auf Viren geprüft]
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf
Of Frerk.Meyer(a)Edeka.de
Sent: Tuesday, June 14, 2005 1:11 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Ideas for fds - roles /
forward groups[Auf Viren geprüft]
The naming is a misfortune: nsrole = netscape roles First
because they have their proprietary origin in the name.
This is not an unusual thing for a proprietary attribute type. We used ns*
_because_ it namespaces the attribute and differentiates from standard
attributes. Were roles to ever get a draft written I am sure the type name
would be changed to ldaprole or some such.
Second because most applications use LDAP groups to determine
application roles, and LDAP roles are just another kind of
group definition but no roles at all. They became roles by
interpreting them in an application for authorization.
They are a little more than a grouping mechanism, role based attributes
provide for much greater power than a mere group. And actually, for LDAP,
they _do_ perform the function of roles, allowing for authorization in the
directory and property inheritance. Applications could choose to use these
roles to perform their authorization functionality too via directory access
control.
Static LDAP roles do it like in every RDBMS, so it's right
but non standard. I should become standard IMHO.
I agree. Probably the largest impediment to that happening before now were
patent applications filed for the technology.