[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
grant / deny precedence in draft-ietf-ldapext-acl-model-04.txt
Is there a precedence for the grant / deny actions? If there are two identical ACI values except for the action, which one takes precedence? An example would be:
aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ, c=US
aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US
Is this server implementation dependent? I don't think it should be. However, if it must be for some reason I haven't considered, a server should at least advertise its precedence. This information could be put in the Root DSE object. Without this information, different ldap implemenations may not be able to interoperate and maintain desired access control behaviors.
David
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff
style="FONT: 10pt Arial; MARGIN-LEFT: 2px; MARGIN-TOP: 2px">
<DIV>Is there a precedence for the grant / deny actions? If there are two
identical ACI values except for the action, which one takes precedence? An
example would be:</DIV>
<DIV> </DIV>
<DIV>
aci: 1.2.3.4#subtree#grant;r;attribute1#group#cn=Dept XYZ,
c=US<BR>
aci: 1.2.3.4#subtree#deny;r;attribute1#group#cn=Dept XYZ, c=US</DIV>
<DIV> </DIV>
<DIV>Is this server implementation dependent? I don't think it should
be. However, if it must be for some reason I haven't considered, a server
should at least advertise its precedence. This information could be put in
the Root DSE object. Without this information, different ldap
implemenations may not be able to interoperate and maintain desired access
control behaviors. </DIV>
<DIV><BR> </DIV>
<DIV>David</DIV></BODY></HTML>