[Date Prev][Date Next] [Chronological] [Thread] [Top]

Management domains and access controls

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Management domains and access controls
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
Date: Sun, 18 Apr 1999 00:20:01 +0100
Cc: ietf-ldapext@netscape.com
In-reply-to: <4.0.2.19990413165316.00951610@popmail2.austin.ibm.com>
Organization: University of Salford
Resent-date: Sat, 17 Apr 1999 16:18:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"3ETnM3.0.ud1.JRH6t"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Ellen,

Regarding sections 5.1.1. and 5.1.2 (supportedACIMechanisms), X.500 has taken a slightly different approach to yourself. X.500 only allows a single ACI mechanism to be specified per administrative domain rather than per naming context as in 5.1.2. An administrative domain may span multiple naming contexts, or a naming context may contain multiple administrative domains. This is because in X.500 the distribution model (based on naming contexts) is separated from the management model (based on administrative domains). A single management authority may run a centralised DIT or a distributed DIT, but the management of the whole domain should not need to change because of this ie. simply because one naming context becomes many. Similarly a large company may hold all its information in one naming context in one big server but may wish to split this into different management domains. Therefore there is a mismatch between the LDAP and the X.500 models. Subschema entries in your document are attached to naming contexts, whereas in X.500 they are attached to management domains (administrative points). Obviously in many cases, where one company has its DIT in one server and one entity manages it all (ie. one naming context is one management domain) they will be the same. But this will not always be the case. Do you or the LDAP group propose to address this fundamental modelling difference or not? As I read it, it is not possible for an LDAP server to hold different management domains, with different access control schemes and different schemas in different parts of the naming context. Is this how you read it?

As a separate issue, do you still have the same definition of a naming context as X.500 does. An X.500 naming context is maximal. In other words, you cannot divide a subtree of entries held in a single server into several naming contexts. In X.500 these would be different administrative domains within a single naming context.

David

*************************************************** David Chadwick IT Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 *NEW* Mobile +44 790 167 0359 *NEW* Email D.W.Chadwick@iti.salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J ***************************************************

References:

please publish
From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: LDAP Client library and multithreading

Next by Date: Display name attribute

Index(es):

Chronological

Thread