Am Donnerstag 02 Oktober 2008 06:26:44 schrieb Howard Chu:
I was dusting off some of the last rfc2307bis revisions Luke sent me,
then remembered how much of a mess we still have with groups. Here are some
ideas I'm toying with, would like some feedback before drafting for
Nice, to see that something is going on in that area. :)
We already know that groupOfUniqueNames is misleading and should be
avoided. The big problem with groupOfNames is that member is required. So
my first thought was a new groupOfMembers objectclass where member is
optional (MAY instead of MUST).
Along the way I was thinking that perhaps a different concept was needed
here, like setOfNames instead. The main thinking being:
sets implicitly have unique membership
sets may be empty
sets may be comprised of other sets
This presents a single solution to the whole static/dynamic/nested groups
The (multivalued of course) "reference" attribute is a URI.
if it's in the form of a plain DN, then it is the DN of a single
member. if it's in the form of an absolute qualified URI (i.e., it begins
with a "ldap:///" spec) then it dereferences the URI to derive the members.
For a nested group, you would use
which would join (union) the values of the referenced entry's reference
attribute to this set.
One problem with this could be, that would be impossible to
find out which
nested groups a certain group is a member of. With the direct DN references
("member"-Attribute) that was still possible. If you would allow nested groups
in the rfc2307bis revision that might become a problem. Think of e.g. the
getgrouplist(), initgroups()s calls.
For a dynamic group you would use something like
Obviously a "nested group" is now just a special case of a dynamic group.
The main point here is that you can immediately tell by inspection whether
a further dereference is needed or not.
Furthermore we can incorporate specific Identity values into *each*
dereference, using URI extensions:
We could probably do the same for AuthZ although it would get awkward to
specify a list of authorized proxiers. That would itself have to be another
reference to accomodate multiple values.
This gives us a clean, consistent syntax and semantic for grouping
behavior. It doesn't make our lives any easier as far as indexing and
optimizing the dynamic characteristics, but it's a start. Thoughts?