RE: [Fedora-directory-users] Ideas for fds - roles / forward groups[Auf Viren geprüft]

Pete Rowley pete at openrowley.com
Tue Jun 14 20:01:51 UTC 2005


 

> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com 
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf 
> Of Frerk.Meyer at Edeka.de
> Sent: Tuesday, June 14, 2005 1:11 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Ideas for fds - roles / 
> forward groups[Auf Viren geprüft]
> 
> 
> The naming is a misfortune: nsrole = netscape roles First 
> because they have their proprietary origin in the name.

This is not an unusual thing for a proprietary attribute type.  We used ns*
_because_ it namespaces the attribute and differentiates from standard
attributes.  Were roles to ever get a draft written I am sure the type name
would be changed to ldaprole or some such.

> Second because most applications use LDAP groups to determine 
> application roles, and LDAP roles are just another kind of 
> group definition but no roles at all. They became roles by 
> interpreting them in an application for authorization.

They are a little more than a grouping mechanism, role based attributes
provide for much greater power than a mere group.  And actually, for LDAP,
they _do_ perform the function of roles, allowing for authorization in the
directory and property inheritance.  Applications could choose to use these
roles to perform their authorization functionality too via directory access
control.

> Static LDAP roles do it like in every RDBMS, so it's right 
> but non standard. I should become standard IMHO.

I agree.  Probably the largest impediment to that happening before now were
patent applications filed for the technology.






More information about the Fedora-directory-users mailing list