On Tue, 2004-08-17 at 15:07, Quanah Gibson-Mount wrote: ... > This gets off into an interesting side-bar on group memberships in general > though, if one ponders things like automatic addition of "memberOf" > attributes to DN's when they are added to groups -- What do you do if the > DN doesn't exist in the DB as an entry, because it is being done in this > method. ... > --Quanah > Quanah raises another question for me -- given projects like Shibboleth, and the use of other hierarchical connections (such as LDAP referals), does anyone on this list currently place DNs from other DITs in local groups to manage authorization when authentication takes place elsewhere? For example, if I have a group named "Library Access" which applications at the UConn library use for authorization, (is it | will it be) common practice for me to add a DN from another school's LDAP server to that group when I want to share access with other schools? I suppose this would work best with a fully interconnected Higher-Ed Kerberos trust fabric, and a Higher-Ed root LDAP server. Or, will Shibboleth provide this functionality better? -Matt -- Matthew J. Smith <matt.smith@uconn.edu> University of Connecticut ITS PGP Key: http://web.uconn.edu/dotmatt/matt.asc
Attachment:
signature.asc
Description: This is a digitally signed message part