[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP ACLs

To: Paul Leach <paulle@MICROSOFT.com>
Subject: Re: LDAP ACLs
From: Chris Newman <Chris.Newman@innosoft.com>
Date: Wed, 29 Apr 1998 14:38:06 -0700 (PDT)
Cc: ietf-ldapext@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
In-reply-to: <00af01bd733f$35ec89b0$0d00000c@paulle-home3>
Resent-date: Wed, 29 Apr 1998 14:37:51 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"bnSNA3.0.xf5.bsvHr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Wed, 29 Apr 1998, Paul Leach wrote:
> This is similar to the approach adopted by WebDAV (and possibly IMAP
> - -- we had reports from IMAP WG people when WebDAV was considering
> ACLs, and that's what I thought they said, but I'm not positive I
> understood it completely. I do recall they said that they were unable
> to come up with any universal ACL format.)

The IMAP ACL extension (RFC 2086) is one of the first serious experiments
with ACLs in an application protocol in the IETF (of which I'm aware). 
The current extension has been implemented by multiple client and server
vendors, but includes very few mandatory semantics for ACLs.  The
implementation experience from clients is that this is inadequate: the
ACLs should have much more precisely specified semantics because it's very
hard to build an acceptable GUI otherwise.  There will probably be an
IMAPEXT WG formed to revise this extension and look at other proposed
extensions which interact with it.

As a result, the ACLs included in ACAP (RFC 2244) have more mandatory
semantics.

> My proposal was this:  
> 1. any given server implementation would store and support exactly one
> kind of ACL -- the kind that it could enforce, either itself or with
> the help of its friendly local OS.
>  2. However, there might be several different kinds of ACL formats,
> for different servers. Each format would have an OID associated with
> it.
> 3. There would be a standardazed was for clients to ask a server for
> the ACL associated with an object. What that request would return
> would be an ACL format OID, and then the ACL in that format.
> 4. There would be a standardized way for clients to ask a server to
> set the ACL associated with an object. That request would take an ACL
> format OID, and then an ACL in that format. If the format wasn't the
> one supported by that server, the request would fail.

I wouldn't object to this under the condition that there was one set of
ACL semantics (with one label) that was mandatory-to-implement.  Without a
single set of mandatory-to-implement semantics, there's no
interoperability.  I know you're familiar with this problem in related
fields.

While I understand the problems you have with implementing another ACL
model when there is already a system-wide model on your OS-of-choice, the
IETF has no requirement to accommodate those needs since the ACL models on
the various operating systems out there are not IETF standards.  In fact,
some operating system ACL models (e.g., POSIX) are so arcane they serve as
a good example of what not to do.  While considering existing ACL models
is important, the IETF needs to be free to design an ACL model which best
serves the protocol in question.  Eventually, I'd like to see an IETF ACL
model across all IETF protocols if possible, but I don't think we have
enough experience to do that yet. 

		- Chris

References:
- LDAP ACLs
  - From: "Paul Leach" <paulle@microsoft.com>

Prev by Date: Re: LDAP ACLs
Next by Date: Re: LDAP ACLs
Index(es):
- Chronological
- Thread