Grouper Developers Forum

[Tom Barton <>]

Michael R. Gettes wrote:
> Your reflection (view) is reasonable if you only consider
> things like group or permission objects going into a directory
> but if you think about my person entry having attributes also
> showing membership or privilege then I think your position
> fails - there is only one person object representing you
> so how will you manage multiple chefs cooking YOU?!?!?!
> LDAPPC in the past properly handled groups in my entry
> with the handling of IsMemberOf but it failed on the
> eduPersonEntitlement.  If this problem is fixed, then
> I agree - as I noted in my response - the group and
> permission objects should be in their own portion of
> the tree - largely for reasons of access control at the
> directory level.

My advice is to not configure multiple ldappc instances to all handle 
the same membership attribute (ie, using ldappc's "-memberships" 
parameter). Can you think of a scenario in which it is required to do 
so, ie, in which having a single ldappc instance provision all 
-memberships does not meet needs?

Tom
begin:vcard
fn:Tom Barton
n:Barton;Tom
org:University of Chicago;Networking Services & Information Technologies
email;internet:
title:Sr. Director for Integration
tel;work:+1 773 834 1700
version:2.1
end:vcard