[Date Prev][Date Next] [Chronological] [Thread] [Top]

Empty rights list in draft-ietf-ldapext-acl-model-04.txt

To: ietf-ldapext@netscape.com
Subject: Empty rights list in draft-ietf-ldapext-acl-model-04.txt
From: David Ward <DSWARD@novell.com>
Date: Tue, 12 Oct 1999 16:45:23 -0600
Cc: Alan Clark <ACLARK@novell.com>
Resent-date: Tue, 12 Oct 1999 15:45:45 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"zuMusD.A.BiE.So7A4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

The BNF in section 6.1 defines rights as:

          < rights > ::= [  ]   |   [ < right > + [ '$'
                         + <right> ] * ]

This allows the rights part of the acl entry syntax to be empty and section 6.3 gives an example of an empty rights ACI:

             aci: 1.2.3.4#subtree##group#cn=Dept XYZ, c=US

It goes on to say the interpretation of an empty rights ACI is server dependent.  What is the purpose and/or value of allowing this type of ACI?  If the interpretation of grant or deny is server dependent, it surely can't promote interoperability between ldap server vendors.  

David

The BNF in section 6.1 defines rights as:

< rights > ::= [ ] | [ < right > + [ '$'
+ <right> ] * ]

This allows the rights part of the acl entry syntax to be empty and section 6.3 gives an example of an empty rights ACI:

aci: 1.2.3.4#subtree##group#cn=Dept XYZ, c=US

It goes on to say the interpretation of an empty rights ACI is server dependent. What is the purpose and/or value of allowing this type of ACI? If the interpretation of grant or deny is server dependent, it surely can't promote interoperability between ldap server vendors.

David

Prev by Date: delete operation in draft-ietf-ldapext-acl-model-04.txt
Next by Date: Inheritance models in draft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread