From Christ.Klinge@web.de Mon Mar 20 10:23:20 2017
From: Christ.Klinge@web.de
To: openldap-bugs@openldap.org
Subject: Re: (ITS#8619) Enhancement request: Nested group support using
 dynlist recursion
Date: Mon, 20 Mar 2017 10:23:18 +0000
Message-ID: <E1cpuT8-0006hG-9e@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6832343951014762344=="

--===============6832343951014762344==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div style=3D"font-family: Verdana;font-size: 12.0px=
;"><div>I have encountered some scepticism regarding the benefits of nesting =
within OpenLDAP itself. Some have argued, that applications should resolve ne=
sted groups or that nested groups should be created using automation instead.=
 Here, I&#39;d like to respond to these two objections.</div>

<div>&nbsp;</div>

<div>1. applications should be responsible resolve nested groups</div>

<div>First, I disagree from a philosophical point of view. The identity manag=
ement system and thus the user directory is the central point of knowledge re=
garding group membership. For the sake of maintainability, all of the informa=
tion as to why any given user is member of any of its groups, should be prese=
nt at this central location. Whether a user is a direct member of a group or =
whether he is member of a sub-group, may interest applications, but what matt=
ers most, is that the user is in fact part of both the sub-group and all of i=
ts ancestors.</div>

<div>&nbsp;</div>

<div>Secondly, some applications simply don&#39;t have nested group support. =
It is a fairly common feature, but it just isn&#39;t part of every piece of s=
oftware out there. Implementing nesting in the directory removes the need for=
 support on the application side entirely. In the (from my curent point of vi=
ew unlikely) event that some application demands to resolve nesting itself, a=
liasing can be used to deactivate dynlist for the given application.</div>

<div>&nbsp;</div>

<div>2. automation instead of nesting</div>

<div>Automation comes with two caveats which I would like to address individu=
ally:</div>

<div>&nbsp;</div>

<div>
<div>2.a additional software</div>

<div>This may come as a no brainer for most, but I&#39;d like to point out th=
at automation requires some form of additional software, be it diy scripts or=
 an application. This increases complexity both due to operation of this soft=
ware and its interaction with the user directory.</div>

<div>&nbsp;</div>
</div>

<div>2.b divergent center of information</div>

<div>Instead of maintaining nesting information within the user directory, th=
e software used most likely stores its data outside of the directory. Worst c=
ase, it is hardcoded into some scripts. Thus, the information as to which gro=
ups are related is likely stored outside of the actual directory itself. This=
 point may be void if the automation system stores nesting information on the=
 group objects inside of the user directory.<br/>
&nbsp;</div>

<div>Sincerely,</div>

<div>Christopher Klinge</div></div></body></html>




--===============6832343951014762344==--