Fedora directory users - Apr 2006 - use of dynamic groups from client applications

Hello,

I have recently discovered FDS and the use of dynamic groups.

As I had many groups that I generate by scripts on a regular basis, I
thought the use of dynamic groups would remove a certain amount of
complexity and administration from my current setup.

However, things do not work like I expected. I''m testing my dynamic
groups from a site built with Plone (which can find which groups the
user belongs to when authenticating) and group membership is not
found.

Do client applications have to support "dynamic groups" by using the
"memberurl" attribute to issue a search by their own ?
If that''s the case, has the possibility to emulate a static group from
an external point of view (with a cache being refreshed after updates
on the directory) been envisaged ?

Thanks in advance,

--
Mikael Kermorgant

Mikael Kermorgant wrote:
> Hello,
>
> I have recently discovered FDS and the use of dynamic groups.
>
> As I had many groups that I generate by scripts on a regular basis, I
> thought the use of dynamic groups would remove a certain amount of
> complexity and administration from my current setup.
>
> However, things do not work like I expected. I''m testing my
dynamic
> groups from a site built with Plone (which can find which groups the
> user belongs to when authenticating) and group membership is not
> found.
>
> Do client applications have to support "dynamic groups" by using
the
> "memberurl" attribute to issue a search by their own ?
>   
Yes.
> If that''s the case, has the possibility to emulate a static group
from
> an external point of view (with a cache being refreshed after updates
> on the directory) been envisaged ?
>   
It depends.  What are you trying to do?  Populate the members of a 
static group entry dynamically depending on some property of the entry 
of each member?  Or do you automatically add some attribute to each 
member''s entry indicating their group membership?

Fedora DS has two features in addition to support for traditional 
groups: Roles and Class of Service.  With Roles, you can create 
(statically or dynamically) "groups" that you can perform the
following
operations on much faster than with traditional groups:
1) List all members of a given Role
2) Test if user A has Role B
3) List all Roles that user A has

Class of Service allows you to dynamically add virtual attributes to 
users'' entries.
> Thanks in advance,
>
> --
> Mikael Kermorgant
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> > Do client applications have to support "dynamic groups" by
using the
> > "memberurl" attribute to issue a search by their own ?
> >
> Yes.
Ok, that burries the "dynamic group" option for my setup. Indeed,
Plone is looking for the attribute ''member'' or
''uniquemember'' in the
group objects.
> > If that''s the case, has the possibility to emulate a static
group from
> > an external point of view (with a cache being refreshed after updates
> > on the directory) been envisaged ?
> It depends.  What are you trying to do?  Populate the members of a
> static group entry dynamically depending on some property of the entry
> of each member?
Exactly.
But with a filtered Role, won''t I have the same behaviour as in
dynamic groups in the sense that the role only has a
''nsrolefilter''
attribute similar to ''memberurl'' and not a true list of the
members ?

Best Regards,
--
Mikael Kermorgant

Mikael Kermorgant wrote:
>>> Do client applications have to support "dynamic groups"
by using the
>>> "memberurl" attribute to issue a search by their own ?
>>>
>>>       
>> Yes.
>>     
> Ok, that burries the "dynamic group" option for my setup. Indeed,
> Plone is looking for the attribute ''member'' or
''uniquemember'' in the
> group objects.
>
>   
>>> If that''s the case, has the possibility to emulate a
static group from
>>> an external point of view (with a cache being refreshed after
updates
>>> on the directory) been envisaged ?
>>>       
>
>   
>> It depends.  What are you trying to do?  Populate the members of a
>> static group entry dynamically depending on some property of the entry
>> of each member?
>>     
>
> Exactly.
> But with a filtered Role, won''t I have the same behaviour as in
> dynamic groups in the sense that the role only has a
''nsrolefilter''
> attribute similar to ''memberurl'' and not a true list of
the members ?
>   
Right.  AFAIK, there is no way to have a single entry with a single 
attribute whose values are computed from a search
filter.
> Best Regards,
> --
> Mikael Kermorgant
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>