[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Attribute Description Hierarchies and Policy Administration
Kurt
the proposed text does not sound OK to me for the following reason
An attribute subtype is a specialisation of an attribute supertype. For
example a mobile phone number is a subtype of a telephone number if
defined as such in the attribute type description. Likewise CN is a
subtype of name since it is defined as such. Consequently if an object
class specifies that a name must be present, this is fulfilled if
localityName, CN, surname or any other subtype of name is present in the
entry. If the admistrator wants to be more specific about what type of
name is present in an entry, then the object class definition should be
more specific. This seems to me like proper object oriented modelling
Regards
David
"Kurt D. Zeilenga" wrote:
>
> Steven Legg, Jim McMeeking, and I had a brief discussion regarding how
> attribute descriptions hierarchies affect policy administration.
> ldapbis-models was a bit unclear. We came up with the following
> text for section 2.5.3 (replacing portions discussing subschema
> and other policy administration) which should clarifying this.
>
> For the purpose of subschema administration of the entry, a required
> attribute requirement is fulfilled if the entry contains a value
> of an attribute description belonging to an attribute hierarchy if
> the attribute type of that description is the same as the required
> attribute's type. That is, a "MUST name" requirement is fulfilled
> by 'name' or 'name;x-tag-option', but is not fulfilled by 'CN' nor
> by 'CN;x-tag-option'. Likewise, an entry may contain a value of
> an attribute description belonging to an attribute hierarchy if the
> attribute type of that description is either explicitly included
> in the definition of an object class to which the entry belongs or
> allowed by the DIT content rule applicable to that entry permits
> it. That is, 'name' and 'name;x-tag-option' are allowed by "MAY
> name" (or by "MUST name"), but 'CN' and 'CN;x-tag-option' are not
> allowed by "MAY name" (nor by "MUST name").
>
> For the purposes of other policy administration, unless stated
> otherwise in the specification of particular administrative model,
> all of the attribute descriptions in an attribute hierarchy are
> treated as distinct and unrelated descriptions.
>
> Comments?
>
> Kurt
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351 Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page: http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500: http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
begin:vcard
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500: http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard