Hi Luke,

thinking about it I guess the current implementation solves 99% of all problems. (The remaining 1% is, when you need all groups for a user and you don't have a OU for all groups.)

For 'normal' applications it is totally ok to specify a fixed OU. If an application needs groups in different OUs you can nest groups in groups.

If I could make a wish I'd prefer a method to look for groups regardless of OU, rather than a list of DNs. [Just for the remaining 1% ;-) ] This would solve the multiple OU-problem without nesting, too.

BTW, keep on with your phantastic work. I convinced my boss to take a look a Spring and Acegi and he was surprised how easy it is to build consistent applications. In the next months we will port all our old Lotus Domino applications to Spring/Acegi.