On Tue, 23 Dec 2003, Igor Brezac wrote: > Good luck building it! ;) This code needs work. When I find some time > I'll try to work on it... > > -Igor
I notice the imapd.conf man page mentions the 'memberOf' attribute. Unless I'm mistaken, that's a bit of a controversial thing, huh? That is, whether to use "static" groups containing all the members, or to have a multi-valued attribute contained within the user DN listing the groups that DN is associated with, what iPlanet/SunONE refers to as "roles". I guess AD also takes that approach. I don't know where I'm going with this, other than maybe clarification that my interpretation is correct. I'm still exploring this LDAP group business. We do map the standard UNIX group file to LDAP, but in a way I don't consider those to be "LDAP groups". Interestingly enough, for a while now we've been using an attribute in the user DN to perform some access permissions checks, so unwittingly have been using SunONE roles-like approach for a while now. (We are using the SunONE server.) Amos
