[Fedora-directory-users] Ideas for fds

[David Boreham]

Are there really large numbers of applications deployed that
grok static groups ? I'd like to hear about them because I can't
remember ever seeing one. Mind you I don't get out much ;)

I think it would be useful to hear more about the use-cases in
applications for groups. Understanding those might shed more
light on the subject. I used the mail list group example previously,
but there will be many others each with its own peculiar set of
issues I suspect.

Way back I did think about intercepting a search for a
particular uniquemember attribute value on a group, generating
the result from roles-like logic. However, at the time it seemed
good to leave the static group semantics alone and define a new
mechanism (roles/cos). The intention at the time was to
submit the work to the IETF working group and eventually
have industry-wide support for the feature. Since that didn't
happen perhaps the choice to not integrate with static groups
was wrong, I'm still not sure though. One key aim with
roles/cos was that an application should be able to determine
all the things it needed to know in connection with an entry
by inspection of _the_entry_ itself (and not some other object
such as a group entry). The logic was: I'm an app, I want to
make a decision about entitlement or somesuch for this entity,
so let me look at their LDAP entry and decide what to do.
The idea was that the policy regarding entitlement and access
would be contained in and interpreted by the DS (and hence
allow arguably useful benefits such as centralized management of
entitlement/access control across the enterprise). I believe that
AD has this for its groups : you can see the groups an entry
belongs to by looking only at the entry. You can't do that with
FDS static groups.