[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt
From: Mark Smith <mcs@netscape.com>
Date: Tue, 19 Oct 1999 09:42:12 -0400
Cc: David Ward <dsward@novell.com>, ietf-ldapext@netscape.com
Organization: Netscape Communications
References: <9910150039.AA67030@dceperf.austin.ibm.com> <9910191027.AA68718@dceperf.austin.ibm.com>
Resent-date: Tue, 19 Oct 1999 06:42:23 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"tziZmD.A.YLG.3UHD4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

No, I don't think we should specify the attribute type for access
control information at all (except for the LDAPv3 scheme).  In other
words, the aCIMechanism should just specify the OID for a scheme and
clients and servers that have knowledge of a particular scheme will just
need to know what attribute type is used for storing the access control
information.  I just don't think we can mandate use of a particular type
like vendorACI.  Some schemes may use more than one attribute type.  And
so on.

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?



Ellen Stokes wrote:
> 
> Mark,
> Currently, aCIMechanism is just a list of OIDs of access control mechanisms
> supported in a given naming context. Are you proposing that we extend this
> format to say a structured LDAPstring to indicate not only the mechanism but
> the attibutes associated with that mechanism?
> Ellen
> 
> At 09:09 AM 10/15/1999 -0400, Mark Smith wrote:
> >Ellen Stokes wrote:
> >>
> >> David,
> >> The intent of vendorACI is to provide a way in which to allow non-LDAP
> >> defined ACI to appear in LDIF, so if you dump the directory into LDIF
> >> and then reload into another vendor's server and back again into your
> >> server, you don't lose any data.  Vendors will continue to use their
> >> own access control mechanisms in cases, so it is expected that in some
> >> parts of the tree that may not be ldap accessible that you'll see the
> >> use of aCIMechanism, and hence vendorACI for preservation of that
> >> information at dump/restore time.
> >> The vendorACI attribute will remain in the model.
> >
> >I don't quite follow you on this Ellen.  Shouldn't a specific,
> >alternative aCIMechanism indicate what attribute is used to store the
> >alternative ACI mechanism (even if only for export and import)?
> >
> >--
> >Mark Smith
> >iPlanet Directory Architect / Sun-Netscape Alliance
> >My words are my own, not my employer's.   Got LDAP?
> >

Follow-Ups:
- Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt
  - From: Ellen Stokes <stokes@austin.ibm.com>

References:
- Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: RE: A tricky matched values problem - I vote for (2)!!
Next by Date: RE: Comments on aci-model-04
Index(es):
- Chronological
- Thread