[Fedora-directory-users] Ideas for fds
David Boreham
david_list at boreham.org
Fri Jun 10 13:58:59 UTC 2005
jclowser at unitedmessaging.com wrote:
> One of those things I always had a love/hate relationship with in the
> Netscape/Sun directory server was dynamic lists.
>
> Loved 'em because you could create email lists and aci groups that
> were self maintaining based on ldap filter criteria.
>
> Hated 'em because no third party app's knew how to use them - most
> apps see groups as groupofmembers or groupofuniquemembers with a list
> of dn's in member/uniquemember.
>
> It would be nice to have a dynamic group like Netscape's groupOfUrls
> (i.e. an ldap url defines members), but have the members returned to
> clients as uniquemembers of the group. In this way, you could create
> dynamic groups that are much more useful.
>
> For example, if I created:
>
> cn: hr users
> objectclass: top
> objectclass: groupofuniquenames
> objectclass; groupofurls
> memberurl: ldap:///<basedn>??sub?(department=hr)
> ...
>
> and did a search to retrieve it, the people that match the memberurl
> would be returned dynamically as uniquemember values.
>
> Issues I see with this:
> 1. Server load - if I have a lot of these groups and do a search that
> returns all groupofurl entries, it could take a lot of resources to
> generate that dynamically.
> 2. Assuming this is inherited from groupofuniquenames, what happens
> if I add static members to uniquemember? I would say return the
> merged list. How do we know if a value is static or dynamic, to do
> things like removing a static member? We don't, but this is similar
> to the issues using class of service where attributes are dynamically
> added. (Actually, would it be possible to implement this using class
> of service? Hmmm...)
I think that you've (re)-invented 'filtered roles'.
They've been supported in the server since 1999 or so.
Your second point above I believe is covered by nested roles.
Roles (deliberately) don't use the same schema as static groups,
so the same problem you mentioned that apps don't support them
applies still. They use the 'nsRole' attribute.
More information about the 389-users
mailing list