[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Access Control
- To: ietf-ldapext@netscape.com
- Subject: Re: LDAP Access Control
- From: "K Richardson" <k.richardson@x400.icl.co.uk>
- Date: Thu, 11 Jun 98 14:08:00 +0000
- Delivered-to: ldapext-archive@critical-angle.com
- Importance: normal
- Original-encoded-information-types: Undefined, ISO-6937-Text
- Resent-date: Thu, 11 Jun 1998 08:02:13 -0700 (PDT)
- Resent-from: ietf-ldapext@netscape.com
- Resent-message-id: <"_oDTS1.0.6D3.p5_Vr"@glacier>
- Resent-sender: ietf-ldapext-request@netscape.com
- X400-content-type: P2-1984 (2)
- X400-mts-identifier: [/PRMD=icl/ADMD=gold 400/C=gb/;G5JA8AAAAAAEJGuQABYQACiMOLwb9U]
- X400-originator: "K Richardson" <K.Richardson@man05t1.x400.icl.co.uk>
- X400-received: by mta tutartis in /PRMD=ICL/ADMD=GOLD 400/C=GB/ ; Relayed ; Thu, 11 Jun 98 15:54:18 +0100
- X400-received: by /PRMD=iclexpo/ADMD=gold 400/C=GB/ ; Relayed ; Thu, 11 Jun 98 14:14:37 +0100
- X400-received: by /PRMD=icl/ADMD=gold 400/C=gb/ ; Relayed ; Thu, 11 Jun 98 14:08:00 +0000
- X400-recipients: ietf-ldapext@netscape.com
>QUESTION 1: Do you believe LDAPEXT should be trying to define
>requirements, framework, and/or a model for access control in
>LDAP directories?
>
Yes, providing the distinction between LDAP as a general
directory access protocol and "LDAP" as a directory server
technology is clearly defined.
>QUESTION 2: Do you basically support the access control
>requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?
>
Yes.
>QUESTION 3: Do you basically support the access control model
>draft (draft-ietf-ldapext-acl-model-00.txt)?
>
No.
>QUESTION 4: Do you think we should adopt the X.500(1993)
>basic access control model as the starting point for the LDAP
>access control model?
>
Yes. This model has already been implemented and proven in a
variety of LDAP server products worldwide and it would thus
make sense to base the LDAP standards-track model on it (or
a subset of it, whilst not ruling out any useful extensions
either).
>QUESTION 5: Do you think we should specify only a framework
>for identifying access control models, and not define a
>single standards-track model for LDAP at this time?
>
I would vote for a single standards-track model based around
X.500 basic access control as the default mechanism for use
in general, distributed environments (e.g. where replication
is in use).
However, it would also be useful to have a framework which
allowed other (non-standard) access control mechanisms to be
configured in to meet specific business or environmental
requirements.
Keith Richardson,
ICL, Manchester, UK