[Date Prev][Date Next] [Chronological] [Thread] [Top]

delete operation in draft-ietf-ldapext-acl-model-04.txt

To: "<" <ietf-ldapext@netscape.com>
Subject: delete operation in draft-ietf-ldapext-acl-model-04.txt
From: David Ward <DSWARD@novell.com>
Date: Tue, 12 Oct 1999 16:41:29 -0600
Resent-date: Tue, 12 Oct 1999 15:42:07 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Jbm8VB.A.QEE.vk7A4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

In section "6.3.1 LDAP Operations" there is the following paragraph:

          Deleting the last ACI value from an entry is not the same as
          deleting the ACI from the entry. It is possible for an entry
          to contain an ACI with no values. In this case, nothing is
          returned to the client when querying the aci. It is server
          dependent whether access is granted or denied in the absence
          of any ACI information.  Deleting an ACI value which does
          not exist will result in an unchanged ACI and a return code
          specifying that the attribute value does not exist.

What is the purpose of explicitly separating deleting the ACI attribute and deleting the last value of the ACI attribute?  If no attribute is present, there is no information.  If an valueless attribute is present (is this possible?), there is no information.  However, in the valueless attribute case, grant/deny interpretation is sever dependent.  This seems strange, am I reading this wrong?  The document states the acl model is based upon inheritance.  Therefore, an object with no ACI information inherits it from its parent object.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff 
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>In section &quot;6.3.1 LDAP Operations&quot; there is the following 
paragraph:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Deleting the last 
ACI value from an entry is not the same 
as<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; deleting the ACI 
from the entry. It is possible for an 
entry<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; to contain an 
ACI with no values. In this case, nothing 
is<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; returned to the 
client when querying the aci. It is 
server<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dependent 
whether access is granted or denied in the 
absence<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; of any ACI 
information.&nbsp; Deleting an ACI value which 
does<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; not exist will 
result in an unchanged ACI and a return 
code<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; specifying that 
the attribute value does not exist.</DIV>
<DIV>&nbsp;</DIV>
<DIV>What is the purpose of explicitly separating deleting the ACI attribute and 
deleting the last value of the ACI attribute?&nbsp; If no attribute is present, 
there is no information.&nbsp; If an valueless attribute is present (is this 
possible?), there is no information.&nbsp; However, in the valueless attribute 
case, grant/deny interpretation is sever dependent.&nbsp; This seems strange, am 
I reading this wrong?&nbsp; The document states the acl model is based upon 
inheritance.&nbsp; Therefore, an object with no ACI information inherits it from 
its parent object.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

Follow-Ups:
- Re: delete operation in draft-ietf-ldapext-acl-model-04.txt
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: LDAP Interop. testing at Connectathon
Next by Date: Empty rights list in draft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread