[Fedora-directory-users] Ideas for fds - roles / forward groups [Auf Viren geprüft]

[Frerk.Meyer at Edeka.de]

LDAP groups and LDAP roles: pro LDAP roles, but call them forward groups
and use them

The naming is a misfortune: nsrole = netscape roles
First because they have their proprietary origin in the name.
Second because most applications use LDAP groups to determine
application roles, and LDAP roles are just another kind of group
definition but no roles at all. They became roles by interpreting them
in an application for authorization.

In SQL/RDBMS only newbies make the mistake to try to represent
a 1:n relation by storing all primary keys of B in a record of A.
SQL records are not multivalued so this mistake does not happen
that much. Everone learned to do it the other way around.

But in LDAP this mistake is the standard for groups. And people
adhere to it because it is the 'STANDARD'.
Static LDAP roles do it like in every RDBMS, so it's right but
non standard. I should become standard IMHO.

OpenLDAP has no roles because it implements the standard.
Netscape/Sun/FDS implement roles but nobody uses it because
it is not the standard.
But in MS-ADS - as I learned here - there is an attribute in every entry
representing group memberships. So they set their own standard,
as usual.
If the OSS community doesn't start to use the roles feature, soon
we will have to adhere to the MS standard and use ADS.

Frerk Meyer

EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268
mailto:frerk.meyer at edeka.de