Re: delete operation in draft-ietf-ldapext-acl-model-04.txt

[Ellen Stokes <stokes@austin.ibm.com>]

David,
I agree with your statements on delete (I guess I missed this one
in cleanup).  If the last value of an attribute is deleted, then
that attribute is removed - that's ldap definition.  I'll fix.
Ellen


At 04:41 PM 10/12/1999 -0600, David Ward wrote:
>In section "6.3.1 LDAP Operations" there is the following paragraph:
>
>          Deleting the last ACI value from an entry is not the same as
>          deleting the ACI from the entry. It is possible for an entry
>          to contain an ACI with no values. In this case, nothing is
>          returned to the client when querying the aci. It is server
>          dependent whether access is granted or denied in the absence
>          of any ACI information.  Deleting an ACI value which does
>          not exist will result in an unchanged ACI and a return code
>          specifying that the attribute value does not exist.
>
>What is the purpose of explicitly separating deleting the ACI attribute
and deleting the last value of the ACI attribute?  If no attribute is
present, there is no information.  If an valueless attribute is present (is
this possible?), there is no information.  However, in the valueless
attribute case, grant/deny interpretation is sever dependent.  This seems
strange, am I reading this wrong?  The document states the acl model is
based upon inheritance.  Therefore, an object with no ACI information
inherits it from its parent object.
>
>