The point here is: does openldap support *server-side dynamic roles* ?
Not groups but roles! If not, then is there any other method, that may
take advantage of openldap dynamic groups, in order to simplify the
procedure I described in the previous paragraph?
The issue I raised in my initial mail is that even if openldap provides
(or will provide) an operational attribute that is going to be used as
server-side dynamic role, this attribute should not be used by any
external application unless there is a way to define more than one
service specific, server-side dynamic role, (radius-role,
yourapplication-role etc etc), where each xxx-role is related with a
specific set of filters.
Anyway, I suspect that openldap dynamic groups are not what the
community describes as server-side dynamic roles. If that is the case,
most probably it was my mistake to initiate this thread