Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

[Mark Smith <mcs@netscape.com>]

> "Miklos, Sue A." wrote:
> 
> To clarify (which I almost always have to do) -
> 
> If an access control model exists with a range of accesses associated
> (individual, roles, group of names, etc.) and if ACI are present, the
> default condition should ensure that, until all criteria are
> successfully met, a deny exists. If there are any ambiguities when
> determining rights, always default to a deny.
> 
> I am somewhat confused about your first case... If there are no access
> control rules, then the condition is not relevant.  If there are no
> criteria imposed to access the repository, then it should be
> accessible (and modifiable?) by all.  The absence of ACI implies that
> all information contained within meets the "front page of the New York
> Times" criteria... publically available to all.

The best behavior when an access control scheme is in effect and
supported by a server but no aci attributes exist is subject to debate. 
Different implementations have chosen different paths.  For example, in
the University of Michigan LDAP 3.3 slapd code, the absence of any
access control configuration provides read access to everyone but in
Netscape Directory Server (all versions so far) the same situation
results in no access to anyone.  I prefer the latter behavior because it
is safer.
  
-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?