[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
delete operation in draft-ietf-ldapext-acl-model-04.txt
In section "6.3.1 LDAP Operations" there is the following paragraph:
Deleting the last ACI value from an entry is not the same as
deleting the ACI from the entry. It is possible for an entry
to contain an ACI with no values. In this case, nothing is
returned to the client when querying the aci. It is server
dependent whether access is granted or denied in the absence
of any ACI information. Deleting an ACI value which does
not exist will result in an unchanged ACI and a return code
specifying that the attribute value does not exist.
What is the purpose of explicitly separating deleting the ACI attribute and deleting the last value of the ACI attribute? If no attribute is present, there is no information. If an valueless attribute is present (is this possible?), there is no information. However, in the valueless attribute case, grant/deny interpretation is sever dependent. This seems strange, am I reading this wrong? The document states the acl model is based upon inheritance. Therefore, an object with no ACI information inherits it from its parent object.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>In section "6.3.1 LDAP Operations" there is the following
paragraph:</DIV>
<DIV> </DIV>
<DIV> Deleting the last
ACI value from an entry is not the same
as<BR> deleting the ACI
from the entry. It is possible for an
entry<BR> to contain an
ACI with no values. In this case, nothing
is<BR> returned to the
client when querying the aci. It is
server<BR> dependent
whether access is granted or denied in the
absence<BR> of any ACI
information. Deleting an ACI value which
does<BR> not exist will
result in an unchanged ACI and a return
code<BR> specifying that
the attribute value does not exist.</DIV>
<DIV> </DIV>
<DIV>What is the purpose of explicitly separating deleting the ACI attribute and
deleting the last value of the ACI attribute? If no attribute is present,
there is no information. If an valueless attribute is present (is this
possible?), there is no information. However, in the valueless attribute
case, grant/deny interpretation is sever dependent. This seems strange, am
I reading this wrong? The document states the acl model is based upon
inheritance. Therefore, an object with no ACI information inherits it from
its parent object.</DIV>
<DIV> </DIV>
<DIV> </DIV></BODY></HTML>