[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rights families in draft-ietf-ldapext-acl-model-04.txt

To: stokes@austin.ibm.com
Subject: Re: rights families in draft-ietf-ldapext-acl-model-04.txt
From: Jim Sermersheim <JIMSE@novell.com>
Date: Wed, 13 Oct 1999 10:42:24 -0600
Cc: ietf-ldapext@netscape.com
Content-disposition: inline
Resent-date: Wed, 13 Oct 1999 09:42:42 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"E1dEnB.A.IHC.5ZLB4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Thanks for the clarification, Ellen.  From reading the document, I understood the difference between the supportedACIMechanisms and aCIMechanism attributes and how they're used, but the difference between a family and a rights family escaped me.  It would help to have your explanation in the terminology section.

From your description, the BNF needs to be changed to replace the word 'familyOID' with 'rightsFamilyOID'

The document says that the rights family describes the permissions, dnType, subjectDn and scope.  From your description below, the rights family is the only identifier that describes these four things. The family and aCIMechanisms are simply containers and don't imply anything themselves (other than ultimately listing the supported rights families).  Is that a correct re-statement?

If so, the BNF also need to change the language "These are the permissions defined for the IETF family OID." to "These are the permissions defined for the LDAPv3 rights family OID." since a rights family is what describes the permissions.

Similarly, section 6.3 needs to change "If the OID within the ACI attribute is listed as other than the IETF family oid" to "If the OID within the ACI attribute is listed as other than the LDAPv3 rights family oid"

Then in 6.4.1, "Pretend IETFFamilyOID = 1.2.3.4" changes to "Pretend LDAPv3RightsFamilyOID = 1.2.3.4"

Finally, the document needs to define the OIDs for the LDAPv3 rights family, IETF family and IETF aCIMechanism

Jim

>>> Ellen Stokes <stokes@austin.ibm.com> 10/13/99 7:15:19 AM >>>
Jim,

supportedACIMechanisms is listed in the root DSE and specifies the
mechanisms that
this server supports.

aCIMechanism is listed in a subschema subentry and specifies which
supportedACIMechanism
applies in that given subtree.

A given aCIMechanism can support one or more families.  An example of a
family might be
IETF or Novell.

A given family can support one or more rights families.  For example, the
IETF family
might support an LDAPv3 rights family and later a LDAPv3-extended rights
family.

The above mechanisms allow for flexibility and extension.

Ellen

At 05:38 PM 10/11/1999 -0600, Jim Sermersheim wrote:
>There are some confusing inconsistencies in the way this document talks
about rights families/family oids/aci mechanisms.
>
>It talks about the 'supportedACIMechanims' and the 'aCIMechanism'
attributes in section 5.1 and 5.2. 5.1 uses the term 'LDAPv3' to name the
mechanism defined in this document.
>
>The BNF in 6.1 uses the term 'familyOID' to describe the mechanism, and
'IETF family OID' when describing the permissions.
>
>In 6.2.1, it talks about a 'rightsFamilyOID'.  The definition of this OID
is loosely tied to the 'aCIMechanism 'attribute (the word is mentioned in
the section), but it's not explicit. It also talks about there being an
'IETF aCIMechanism', and then defines an 'LDAPv3 rights family'.
>
>Subsequent sections use the term 'IETF rights family' or 'IETFFamilyOID'.
>
>I think all these terms are talking about the same thing but it's not
clear.  We should avoid confusion and settle on either aci mechanism or
rights family or family oid when talking about specifying one of these
mechanisms, and settle on LDAPv3 or IETF when talking about the particular
mechanism that this document describes.
>
>Jim
>

Prev by Date: New submission: draft-moats-ldap-dereference-match-01 and AGENDA request
Next by Date: LDAPv3 Rights Family in draft-ietf-ldapext-acl-model-04.txt.
Index(es):
- Chronological
- Thread