Re: rights families in draft-ietf-ldapext-acl-model-04.txt

[Ellen Stokes <stokes@austin.ibm.com>]

Jim,

supportedACIMechanisms is listed in the root DSE and specifies the
mechanisms that
this server supports.

aCIMechanism is listed in a subschema subentry and specifies which
supportedACIMechanism
applies in that given subtree.

A given aCIMechanism can support one or more families.  An example of a
family might be
IETF or Novell.

A given family can support one or more rights families.  For example, the
IETF family
might support an LDAPv3 rights family and later a LDAPv3-extended rights
family.

The above mechanisms allow for flexibility and extension.

Ellen


At 05:38 PM 10/11/1999 -0600, Jim Sermersheim wrote:
>There are some confusing inconsistencies in the way this document talks
about rights families/family oids/aci mechanisms.
>
>It talks about the 'supportedACIMechanims' and the 'aCIMechanism'
attributes in section 5.1 and 5.2. 5.1 uses the term 'LDAPv3' to name the
mechanism defined in this document.
>
>The BNF in 6.1 uses the term 'familyOID' to describe the mechanism, and
'IETF family OID' when describing the permissions.
>
>In 6.2.1, it talks about a 'rightsFamilyOID'.  The definition of this OID
is loosely tied to the 'aCIMechanism 'attribute (the word is mentioned in
the section), but it's not explicit. It also talks about there being an
'IETF aCIMechanism', and then defines an 'LDAPv3 rights family'.
>
>Subsequent sections use the term 'IETF rights family' or 'IETFFamilyOID'.
>
>I think all these terms are talking about the same thing but it's not
clear.  We should avoid confusion and settle on either aci mechanism or
rights family or family oid when talking about specifying one of these
mechanisms, and settle on LDAPv3 or IETF when talking about the particular
mechanism that this document describes.
>
>Jim
>