[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Questions and comments re: draft-ietf-ldapext-acl-model-03.txt
I have a few comments and questions for your consideration, please.
Thanks,
-----------
a) Delegation
Section 2 states "...No mechanisms are defined in this document to control
access control information...or for storage..." Is it possible, without
exceeding the desired scope of the model, to include a means to determine
which of the ACI operations (ACI_GRANT,...) a particular subject has over a
particular scope/filter? I believe that this would help enable a more
generic LDAP management tool, and enhance application portability. (Maybe
could extend definitions of LDAP rights in Section 5.2.1.1 and
GetEffectiveRights controls, and add to LDIF??)
b) Section 5.2.1.1
Says "...Rights that apply to the object to which the directory object
points..." is not clear to me, especially since Get and Set attribute values
follow.
c) Section 7
Says "...Three LDAP controls are defined..." but only two follow. Is the
count wrong or is something missing?
d) Section 7.2.1
"...this control is included in the ldap_bind..."
1) Is there any reason not to allow this control in any ldap request
message, potentially saving any overhead involved with processing the
credentials until actually needed, if at all? And/or use a new extension
request/response to specify credentials?
2) Similarly, can the server defer evaluating the credentials until needed,
and return a 'credentials pending' type of response?
3) section refers to "..server determines(pulls) the credentials...when
needed in subsequent ldap operations..." However, it wasn't clear how it
could do that with the controls and extensions defined.
d) Section 8
Starts referring to "Two extended operations" but I only noticed one.
Is the count wrong or is something missing?
{end]
--------
Steve Miller Software.com, Inc.
steve.miller@software.com 91 Hartwell Ave.
Phone: 781-274-7000x386 Lexington, MA 02173
Fax: 781 674-1080 http://www.software.com