Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 32963 invoked from network); 21 Sep 2007 17:11:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Sep 2007 17:11:53 -0000 Received: (qmail 28993 invoked by uid 500); 21 Sep 2007 17:11:44 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 28962 invoked by uid 500); 21 Sep 2007 17:11:44 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 28944 invoked by uid 99); 21 Sep 2007 17:11:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2007 10:11:44 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mboorshtein@gmail.com designates 64.233.184.224 as permitted sender) Received: from [64.233.184.224] (HELO wr-out-0506.google.com) (64.233.184.224) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2007 17:11:44 +0000 Received: by wr-out-0506.google.com with SMTP id 36so390754wra for ; Fri, 21 Sep 2007 10:11:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=CHrmRBDanFpIjNUv7YVIEtqa2O/YNGz1FAmI9qrhXEg=; b=e9x/ruco5uyA9Xeo70P6TMOR5njvHKcJD7lFka5lRY/bFtq1bbaVQ7OaSa8ZJO9qzVzntsfp0oYAf8vOsQFhd/0Qy+fFuGlqrl+xfdkIFWF6jRTxVjaX0AmA7/rMrCktJg34jfbtETY478X04NVJwcNq1auXDe/kn5KIfm9SIFI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LwJdBoabVH3IVSPyQsjfYFQyav0+1KbVQpJmjQg1BfjX6K7OS9xfMQG2ocBG18bBs0jZ9GUrcB67uygtMhZ4TVz6TU88MGF+AE18P4GGpheijLqk/h0vyTfFduIRccWFc0hd4/YOg89pfoN6ffF+Ll/5AchoHJzthDd2reO35oo= Received: by 10.78.205.7 with SMTP id c7mr750783hug.1190394681889; Fri, 21 Sep 2007 10:11:21 -0700 (PDT) Received: by 10.78.123.11 with HTTP; Fri, 21 Sep 2007 10:11:21 -0700 (PDT) Message-ID: <800df6390709211011q5bdef748xcc628ccee0029829@mail.gmail.com> Date: Fri, 21 Sep 2007 13:11:21 -0400 From: "Marc Boorshtein" To: "Apache Directory Developers List" Subject: Re: [ApacheDS] Specifying application level subtrees? In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Virus-Checked: Checked by ClamAV on apache.org >It's essentially a means to group entries > together and much more powerful > than what is currently used in practice for dynamic groups: dynamic groups > uses an LDAP URL to > dynamically select the users for inclusion in the group. > Ok, I think I better understand what you are saying now. I've seen a lot of different group structures in directories. From the simplest static group to overly complex combinations of custom group entries and custom az modules for applications. The issue (or non issue depending on how you look at it) is that a group is simply a directory object. What gives a group power is how the application deals with the information. The moral here being that if you have some alternate idea of how to specify a group, i'm sure there are infinite ways of specifying how to group users together but can the application interpret that information? For instance a dynamic group is much easier to manage in many ways then a static group but applications don't generally know how to compare a user against an ldap url. Thats why many virtual directories have dynamic group plugins to make dynamic groups work and act like static groups. So if you were to pair this group specification idea with an interceptor that made it work like a static group you might be on to something. The answer to 'why dont we do it' is that applications need to be able to consume it. There is no az mechanism in a directory that can hide the implementation. Authorization is left to the applications that are accessing the directory. Marc