On Tue, 23 Dec 2003 [EMAIL PROTECTED] wrote: > On Tue, 23 Dec 2003, Igor Brezac wrote: > > > Good luck building it! ;) This code needs work. When I find some time > > I'll try to work on it... > > > > -Igor > > I notice the imapd.conf man page mentions the 'memberOf' attribute. > Unless I'm mistaken, that's a bit of a controversial thing, huh?
Why is that? > That is, whether to use "static" groups containing all the members, > or to have a multi-valued attribute contained within the user DN > listing the groups that DN is associated with, what iPlanet/SunONE You can take either one of those approaches preferebly the second one. The code needs to get a list of groups in order to fit into the current cyrus group functionality. > refers to as "roles". I guess AD also takes that approach. I don't > know where I'm going with this, other than maybe clarification that > my interpretation is correct. > > I'm still exploring this LDAP group business. We do map the standard > UNIX group file to LDAP, but in a way I don't consider those to be > "LDAP groups". Interestingly enough, for a while now we've been > using an attribute in the user DN to perform some access permissions > checks, so unwittingly have been using SunONE roles-like approach for > a while now. (We are using the SunONE server.) > You lose the group functionality with this approach, although you get better performance. -- Igor
