[Date Prev][Date Next] [Chronological] [Thread] [Top]

summary of Apr 11 ldap access control model conference call

To: ietf-ldapext-acm@OpenLDAP.org
Subject: summary of Apr 11 ldap access control model conference call
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Tue, 18 Apr 2000 09:26:38 -0500

All,

Here's summary (short):

1. Moving forward: Rob Byrne's note (10 min)

We reaffirmed the current direction of the ldap access control model.
Section 2 will be re-written to more clearly explain the model (reference
some points supplied in Rob's note on this subject).

2. Granularity of 'write' permission (need consensus) (10 min)

The decision was to divide the write permission (ldapModify operation)
into multiple permissions aligned with the sub-operations of ldapModify.
There is a single alphabetic character per permission.
	'w' means modify/add (write)
	'o' means modify/delete (obliterate)
	The presence of both 'w' and 'o' means modify/replace.

3. Add 'authenticated' pseudo-user (need consensus); also strength of authentication? (10 min)

Helmut will provide a proposal for Apr 18 conference call.

4. Should user need both 'add'(object) and 'write' (attributes) to add a DN/objects and its attributes? (need consensus) (10 min)

The decision is to require 'add' (object) on the parent entry to be able to add child entries AND 'write' on the attributes that are 'added' as part of adding that entry. To delete the added entry, only the 'delete' (object) permission is needed on the the entry to be deleted.

Ellen

Prev by Date: Re: KerberosId/UserID/access-id (two)
Next by Date: summary of Apr 18 ldap access control model conference call
Index(es):
- Chronological
- Thread