On Jul 19, 2006, at 7:49 AM, Mike Jackson wrote:
...
I designed the directory architecture and service which is
currently in the middle of being deployed to a very large number of
LDAP servers worldwide, and I only used posixGroup as the user
grouping mechanism.
Recording full DNs as attribute values is a nasty practice to
establish relationships, and base64 encoding DNs into attribute
values is even nastier (there are a few popular commercial
applications which do this). Organizations change their names as
they get bought, etc, and they always seem to want their DIT
renamed... Relationships, when required, should be established by
association (in your client), not by DN pointer (in the directory).
Just a fine point on this matter, in case anyone out there has
the same misimpression about the DNs as one of my colleagues did -
the DN value of groupOfNames member doesn't need to be explicitly
or implicitly relative to the directory. Our DNs are just
cn=hostname, or cn=username. For use within the directory itself,
for access authorization, these names map to SSL certificate subject
or Kerberos principal. For external applications, again Kerberos
principal. I'm sure that wouldn't work for every site, but my point
is that when you need a full directory reference DN, it's for some
other reason, not just because your group is groupOfNames.
Donn Cave, [EMAIL PROTECTED]
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
