[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP ACLs

To: "Leslie Daigle" <leslie@Bunyip.Com>
Subject: Re: LDAP ACLs
From: "Paul Leach" <paulle@microsoft.com>
Date: Sat, 2 May 1998 16:41:14 -0700
Cc: <ietf-ldapext@netscape.com>
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Sat, 2 May 1998 16:38:18 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"p3DV-.0.vq4.fvwIr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

-----BEGIN PGP SIGNED MESSAGE-----

- -----Original Message-----
From: Leslie Daigle <leslie@Bunyip.Com>
To: Paul Leach <paulle@MICROSOFT.com>
Cc: ietf-ldapext@netscape.com <ietf-ldapext@netscape.com>
Date: Thursday, April 30, 1998 2:32 PM
Subject: Re: LDAP ACLs

>Paul,
>
>On Wed, 29 Apr 1998, Paul Leach wrote:
>> Neither a standardized replication protocol nor standardized ACLs
are
>> absolutely needed for white pages applications.
>
>Nonsense!  It may be that, in _your_ applications for white pages
information,
>you don't need ACLs, but it certainly is not true for all the
participants
>in this discussion.

So I guess that without ACLs, white pages applications are impossible.
So there must not be any. So those LDAP pages whitepages servers out
there must be figments of my imagination.

That's what I meant by "absolutely required" -- useful white pages
applications (not just my own) are possible without them.

In fact, as Steve Kille pointed out, the client-server interaction
barely needs them at all -- ACL management is just that -- a
management function, not typically needed by ordinary clients.

>
>On Wed, 29 Apr 1998, Paul Leach wrote:
>> > i.  If such a Universal ACL registry existed, it would
>> >     be fair to say that LDAP should be made to use it.
>> 
>> No such registry is needed. OIDs can be generated in a
decentralized
>> fashion. LDAPEXT can define one OID, and one of the ACL formats.
We'll
>> define another one of each.
>
>I think the follow-on exchange between yourself and Chris Newman does
illustrate
>my point -- just developing the _requirements_ for a universal
solution
>(registry, model, semantics description language, whatever) leads to
the
>fact that this problem is not well enough understood for a general
solution
> -- and certainly not in this group.

I never said there should be a universal solution. In fact I said the
opposite. I proposed that the protocol for fetching the ACL attribute
should recognize the fact that there will be different solutions, and
provide a mechanism for tagging which solution is in use.

>
>> Have you seen NT5 beta 1? It's LDAP DS  has much more than people
in
>> it (computers, disk volumes, sites, groups, organizations, to name
a
>> few -- about 300 classes in all), even though it doesn't yet fully
>> integrate all files and registry objects.
>
>I'm afraid you've missed my point -- I never claimed LDAP could not
or
>should not be used for applications other than whitepages.

You asked for an existence proof that it could be used for other
applications (which part of the message you conveniently snipped out).
I gave one.

Paul
-----BEGIN PGP SIGNATURE-----
Version: PGP 5.5.5

iQCVAwUBNUuvGsqlCdSXiCndAQE1iAP/Qnk4qvytAY5MpwjKoA74hxj+hn44HLUN
VfJEU5EvicfdvKJ7eX+EzTvVGZK0/XkiGxB22GrcgUa0XxGYtlef+iNBx8aYPg9O
AKAnZ1MsJCx0eL4T1Jfnob/dy2+A8LQEuEtrZFwq7qqP4lNoNUhT6VxZ2mEURd1T
9mqFlOHrpJQ=
=1D9V
-----END PGP SIGNATURE-----

Prev by Date: RE: LDAP ACLs
Next by Date: Re: LDAP ACLs
Index(es):
- Chronological
- Thread