[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Management domains and access controls

To: d.w.chadwick@iti.salford.ac.uk, djbyrne@us.ibm.com, ietf-ldapext@netscape.com
Subject: Re: Management domains and access controls
From: Bob Blakley <blakley@dascom.com>
Date: Thu, 06 May 1999 13:15:04 -0500
Cc: Ellen Stokes <stokes@austin.ibm.com>
Resent-date: Thu, 06 May 1999 11:14:54 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"0bYZLC.A._zG.LwdM3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

This is a multi-part message in MIME format.

David,

>>The ACIMechanism  attribute
>> describes the ACI mechanism which is used at that point in the tree.
>
>This is where the difference is. In LDAP the point in the tree (from
>my reading) is the context prefix of the naming context, and it
>applies to the whole naming context. In X.500, the point in the tree is
>an administrative point that bears NO relationship to a naming
>context.
>
>...this is not the point I was making. My point is, where
>conceptually in the global DIT are the points at which ACI
>Mechanisms can be placed. Should these be co-located with the
>points of distribution or not. X.500 says not, LDAP says yes. This is
>the fundamental difference as I read it

You're correct; this is different, and you've correctly described the
difference
(though I could quibble and say that in X.500, the subentry in the
administrative
point explicitly defines its relationship to the naming context, rather than
that
there's no relationship...)

I'd note that your term "conceptually" is about right here; the administrative
protocol direct the policy update command at the context prefix, but the
backing
store is free to store the policy "wherever and however" it wishes.  So, for
example,
an X.500 directory acting as an LDAP server is free to

    (1) receive a policy command which directs it to apply a particular access
        control policy to a particular subtree
    (2) express that policy command in the X.500 policy language (including
        for example explicit denial)
    (3) Store the resulting policy language expression anywhere it wants (for
        example, in a subentry in a node *above* the context prefix of the
naming
        context.



--bob

Bob Blakley (blakley@dascom.com)
Chief Scientist, Dascom
-----Original Message-----
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
To: djbyrne@us.ibm.com <djbyrne@us.ibm.com>; ietf-ldapext@netscape.com
<ietf-ldapext@netscape.com>
Cc: Ellen Stokes <stokes@austin.ibm.com>; Bob Blakley <blakley@dascom.com>
Date: Thursday, April 29, 1999 5:08 AM
Subject: Re: Management domains and access controls

Follow-Ups:
- Re: Management domains and access controls
  - From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
- Re: Management domains and access controls
  - From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>

Prev by Date: Forclosures in 50 states!
Next by Date: testing to ietf-ldapext, please ignore
Index(es):
- Chronological
- Thread