I was dusting off some of the last rfc2307bis revisions Luke sent me, and then
remembered how much of a mess we still have with groups. Here are some ideas
I'm toying with, would like some feedback before drafting for IETF-LDAPext.
We already know that groupOfUniqueNames is misleading and should be avoided.
The big problem with groupOfNames is that member is required. So my first
thought was a new groupOfMembers objectclass where member is optional (MAY
instead of MUST).
Along the way I was thinking that perhaps a different concept was needed here,
like setOfNames instead. The main thinking being:
sets implicitly have unique membership
sets may be empty
sets may be comprised of other sets
This presents a single solution to the whole static/dynamic/nested groups
The (multivalued of course) "reference" attribute is a URI.
if it's in the form of a plain DN, then it is the DN of a single member.
if it's in the form of an absolute qualified URI (i.e., it begins with a
"ldap:///" spec) then it dereferences the URI to derive the members.
For a nested group, you would use
which would join (union) the values of the referenced entry's reference
attribute to this set.
For a dynamic group you would use something like
Obviously a "nested group" is now just a special case of a dynamic group. The
main point here is that you can immediately tell by inspection whether a
further dereference is needed or not.
Furthermore we can incorporate specific Identity values into *each*
dereference, using URI extensions:
We could probably do the same for AuthZ although it would get awkward to
specify a list of authorized proxiers. That would itself have to be another
reference to accomodate multiple values.
This gives us a clean, consistent syntax and semantic for grouping behavior.
It doesn't make our lives any easier as far as indexing and optimizing the
dynamic characteristics, but it's a start. Thoughts?
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/