[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Using attribute ba
Well, I haven't read through Jeff's reference in its entirety so the answer may
be contained therein. What I got from google before I posted this request is
that you essentially use attributes to define the various 'groupings' and then
use a search filter contained in an LDAP URL to find all entries that have that
attribute thereby deriving the contents of the 'group'. Since the attribute
is local to the individual entry, and potentially it was valued and is
maintained by an automated process, the addition or removal of that entry's
'group' attribute seems to provide its dynamic status.
So my question now morphs into many. Do I understand dynamic groupings
correctly? If so is the concept a standard, a proposed standard, or a
proprietary idea implemented by a few vendors? Won't LDAP eventually run into
a hard limitation, or a performance limitation, using attribute based 'dynamic
groups' as I described above due to the large number of attributes that could
potentially end up in a single entry? The direction I'm heading in here is the
possibility of using dynamic groups as a form of role based access control.
Tod
Quanah Gibson-Mount wrote:
> --On Wednesday, May 28, 2003 10:24 AM -0700 Jeff Costlow <j.costlow@f5.com>
> wrote:
>
> > I don't know what iPlanet is doing, but this document has some good
> > stuff in it.
> > http://middleware.internet2.edu/dir/groups/draft-internet2-mace-dir-grou
> > ps-best-practices-01.html
>
> Interestingly enough, I wrote a note to OpenLDAP-software just a few days
> ago myself asking if it is possible to use dynamic groups in OpenLDAP-2.1.
> I've gotten 0 responses saying anything either way. I'm not convinced you
> can't, but I'm not convinced you can, either.
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html