[Fedora-directory-users] Ideas for fds

Richard Megginson rmeggins at redhat.com
Fri Jun 10 23:44:33 UTC 2005 

jclowser at unitedmessaging.com wrote:

> Netscape roles are great, but the reason I don't prefer them (and 
> dynamic groups) is that it is very implementation specific - i.e. 
> netscape/sun/fedora directory server (I'm considering them all more or 
> less the same) is the only server that implements it.  If I depend on 
> it, I'm tied to a particular implementation of ldap server, and can't 
> go to openldap, active directory, joes directory, etc (not that I'd 
> want to - esp ad, but for the sake of the whole standards argument, 
> it's important to consider and I'd want that option).
> If I have a dynamic group that returns members in uniquemember, I 
> could always switch, without changing my apps, with the caveat that 
> the groups may have to be managed statically.  I suppose you could say 
> the same about nsroles, but that further assumes an app allows you to 
> define the search filter.  I actually used a static method very 
> similar to nsroles before nsroles existed (i.e. create an entry in 
> ldap, then create an attribute in the users entry that contains the DN 
> of that entry, and use that to determine what roles a user is part of, 
> solely by looking at the users entry.  Nice 'cause you could config 
> referential integrity to clean it up and all if you delete the role, 
> too).  But I ran into the same problem - only the apps I wrote knew 
> how to use it (but at least it worked in any ldap server :) ).  At 
> least it didn't have the resource limit issues that groupofurls has.
>
> Anyway,  the issue of large groups does exist for me, so it is a 
> concern - A customer of 100k-1 million or more is not out of the 
> question.  It would have to be used with care.   But, in the case of 
> smaller deployments, or even smaller or "select" groups, it would be 
> useful to have this for cases where I can't make apps use the Netscape 
> extensions.  In a lot of cases, the _app_ doesn't need to deal with a 
> large list of returned values - i.e. if I do a search for 
> (&(cn=MyGroupName)(objectclass=groupofuniquenames)(uniquemember=<someUserDN>)), 
> returning say,  only the cn attribute or discarding everything but a 
> found/not found result to see solely if I'm a member, I would want it 
> to work.  Some apps use this to determine group membership, and can't 
> be changed...  This is actually the more likely scenario than wanting 
> to use/display the entire list.
>
> Haven't really thought this through, but would it be possible to use a 
> combination of roles and cos to create a group the way I am 
> suggesting?  I would think even if possible, it would be complicated 
> and probably pretty inefficient, but is an option.  If I remember 
> correctly, you can't search on dynamic attributes generated by Cos, 
> though (actually, I think in the most recent version of the Sun DS, 
> you could search on them, but they are treated as unindexed 
> searches)...  This would likely factory into the members dynamically 
> returned as uniquemember idea as well, so one more inefficiency in 
> implementing my idea :-D

In Fedora DS these attributes are "indexed" so you can search on them 
very quickly (e.g. ldapsearch .... (nsrole=ROLEDN)).

But, point taken.  Roles work great, but they don't conform to the 
standard group schema.  We could use our roles/cos technology to 
implement a very efficient static group.  One problem remains though - 
how to solve the problem of retrieving a large static group?

>
> - Jeff
>
>
>
> David Boreham wrote:
>
>> I should also say that the roles feature was born at a time
>> when the product was marketed for very large scale deployments.
>> We had seen for example the mail server users attempt to create
>> groups with millions of entries. That just didn't work at all well.
>>
>> That was then and this is now: the target market is somewhat
>> different. For the typical F500 company with a few thousand employees,
>> virtual view static groups are probably just fine.
>>
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050610/99347aed/attachment.bin>

More information about the Fedora-directory-users mailing list