Support for Groups in LDAP Identity

Groups are implemented groupOfNames. Group membership is done by
appending the users DN to membership attribute. That is pretty much
what you just wrote, and I think it is the only way to do group
membership that makes sense.

roles are implemented as organizationalRole. They are collected under
the project object, which is implementated as a groupOfNames object.

so the project is a gON object and it has multiple children which are the roles that can be used with this project.

 A
 user is assigned roll by being appended to the roleOccupant attribute of
 the organizationalROle.

Its the standard use of the roleOccupant attribute which is multi-valued. Its quite common to have multiple people with the same roles e.g. Manager, team leader, professor etc. are all roles usually held by many people.

So to add groups to the role, we append the DN of the group to the
roleOccupant field. This is on the organizationalRole object, not the
groupOfNames.

 Now, to determine the roles for a user/project, we need to > iterate through all of the users of the orgRole.roleOcc attribute. If the user is there, they have that role.

 If there are any groups in there, we need to iterate through each of the groups to find out if the user is a member of that group. If they are, they have that role.

It is possible that some LDAP implementation will call for recursively checking group membership. That will not be supported in the first implementation

also a member of the group