[Fedora-directory-users] Ideas for fds - Tree DNs, roles [Auf Viren geprüft]

[Frerk.Meyer at Edeka.de]

On the topic of Tree DN as groups - evil or not - :

My application does not depend on the DN of the
person which is logged in. Instead it just depends on
application roles. BUT: I have implemented some
of the application roles by using LDAP roles inherited in the tree and
some by LDAP groups. The LDAP adapter (JNDIRealm
from Tomcat) unifies group membership and attribute values
to application roles. So I save administrative work with roles.

If an application role is identitical to some struture in the
DIT I save administrative work by using LDAP roles.
If the application role is orthogonal to the structure of the DIT
or I have exceptions I have to use static groups.
If in the future I cannot go on with LDAP roles I can change to
LDAP groups without changing the application.

If I don't use the tree structure in the DIT at all, it'll come
through the back door where I need dozends of groups which
mimic the trees in the end like
company_a_user
company_a_departement_b_user
company_a_department_b_subdivsion_c_user
and that's not really better.
Or how do you organize your groups?

A subtree is a topological group. It was meant so in the beginning
in X.500. If implementations don't support changes of that topology
it's not an argument against the concept.

I guess the problem lies deeper. If the use of (all sophisticated)
LDAP functions is to complicated to application developers,
the development plattforms need an LDAP adapter which abstracts
users and roles. It's like an object/relational mapping to escape
from doing SQL/JDBC by hand for every SQL-dialect out there.

Frerk Meyer

EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268
mailto:frerk.meyer at edeka.de