[Date Prev][Date Next] [Chronological] [Thread] [Top]

search right in draft-ietf-ldapext-acl-model-04.txt

To: ietf-ldapext@netscape.com
Subject: search right in draft-ietf-ldapext-acl-model-04.txt
From: David Ward <dsward@novell.com>
Date: Thu, 14 Oct 1999 08:51:43 -0600
Content-disposition: inline
Resent-date: Thu, 14 Oct 1999 07:56:26 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"5lQ1UC.A.bDH.P4eB4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Section 6.2.1.1 describes attribute rights ( read / write / search / compare ) and entry rights ( add / delete / editDN ).  In my opionion, the "search" right should be applied at the entry level not the attribute level.  I would argue that you search an object and possibly its subordinate objects,  and objects that match the search criteria are returned.  This makes it easy to grant or deny searching in portions of the directory.  

When applied at the attribute level, are you granting or denying the search operation?  I would argue no.  You are only restricting the attributes that can be used in the search filter.  I guess you could prevent the search operation by denying search for all attributes.  

I think the compare right effectively does the same thing as the attribute level search right.  By denying compare on an attribute, would not the equivalence check fail during the search operation.  The user does not have the rights to compare it.

David

Prev by Date: big picture
Next by Date: DN types and IP addresses in draft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread