[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Objections to draft-ietf-ldapext-psearch-01.txt
No mis understanding, the answer is a good one. Its just that something
like putting entries in DITs for "protocol features" as their names and
then assigning User access controls to them - to see if they can use the
protocol feature or not , just never occured to me. I suppose because it
polutes the Users DIT.
Do you have access control regimes for these entries as well?
Do you include these entries in LDAP replication processes? what about
the scope of transaction resource locking and timing out. Does the
"features" entries fit under country, org, OU, OP, OR or anywhere?
I suppose that if the LDAP protocol extensions need to be controlled by
proprietary DIT structures and user access control mechanisms - does
that mean that the LDAP extensions are by definition "proprietary"..
regards alan
> -----Original Message-----
> From: dboreham@netscape.com [SMTP:dboreham@netscape.com]
> Sent: Friday, 21 August 1998 14:28
> To: ietf-ldapext@netscape.com
> Subject: Re: Objections to draft-ietf-ldapext-psearch-01.txt
>
> Alan Lloyd wrote:
> audit records in, etc, etc -- how does one apply a "control"
> "capability/privilege" to users in a distributed world with
> things like
> this?? can we have different extension use/scope according to
> the
> entries they involve??? Compatability is an issue.
> Perhaps this was a rhetorical question, here's an answer:
> In our implementation we create entries in a special DIT
> location (under "cn=Features", from memory). There's
> an object for each whacky extension, identified by the
> control's OID. These entries can be subject to access control.
> Access to the "feature entry" connotes the ability to use the
> feature. This seems to simple and obvious, that I suspect
> I've misunderstood Alan's point.
>
>
>