[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt

To: Mark Smith <mcs@netscape.com>
Subject: Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Tue, 19 Oct 1999 23:51:22 -0500
Cc: David Ward <dsward@novell.com>, ietf-ldapext@netscape.com
In-reply-to: <380C7534.24A7FDBC@netscape.com>
References: <9910150039.AA67030@dceperf.austin.ibm.com> <9910191027.AA68718@dceperf.austin.ibm.com>
Resent-date: Tue, 19 Oct 1999 21:52:42 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"gBERy.A.3hB.TqUD4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Mark,
Great.  I'm happy to remove vendorACI and keep aCIMechanism as defined
in the document.  (I just wanted to explore the alternatives given your
previous suggestion).
Ellen


At 09:42 AM 10/19/1999 -0400, Mark Smith wrote:
>No, I don't think we should specify the attribute type for access
>control information at all (except for the LDAPv3 scheme).  In other
>words, the aCIMechanism should just specify the OID for a scheme and
>clients and servers that have knowledge of a particular scheme will just
>need to know what attribute type is used for storing the access control
>information.  I just don't think we can mandate use of a particular type
>like vendorACI.  Some schemes may use more than one attribute type.  And
>so on.
>
>-- 
>Mark Smith
>iPlanet Directory Architect / Sun-Netscape Alliance
>My words are my own, not my employer's.   Got LDAP?
>
>
>
>Ellen Stokes wrote:
>> 
>> Mark,
>> Currently, aCIMechanism is just a list of OIDs of access control mechanisms
>> supported in a given naming context. Are you proposing that we extend this
>> format to say a structured LDAPstring to indicate not only the mechanism
but
>> the attibutes associated with that mechanism?
>> Ellen
>> 
>> At 09:09 AM 10/15/1999 -0400, Mark Smith wrote:
>> >Ellen Stokes wrote:
>> >>
>> >> David,
>> >> The intent of vendorACI is to provide a way in which to allow non-LDAP
>> >> defined ACI to appear in LDIF, so if you dump the directory into LDIF
>> >> and then reload into another vendor's server and back again into your
>> >> server, you don't lose any data.  Vendors will continue to use their
>> >> own access control mechanisms in cases, so it is expected that in some
>> >> parts of the tree that may not be ldap accessible that you'll see the
>> >> use of aCIMechanism, and hence vendorACI for preservation of that
>> >> information at dump/restore time.
>> >> The vendorACI attribute will remain in the model.
>> >
>> >I don't quite follow you on this Ellen.  Shouldn't a specific,
>> >alternative aCIMechanism indicate what attribute is used to store the
>> >alternative ACI mechanism (even if only for export and import)?
>> >
>> >--
>> >Mark Smith
>> >iPlanet Directory Architect / Sun-Netscape Alliance
>> >My words are my own, not my employer's.   Got LDAP?
>> >
>

References:
- Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: vendorACI attribute in draft-ietf-ldapext-acl-model-04.txt
  - From: Mark Smith <mcs@netscape.com>

Prev by Date: Re: Comments on aci-model-04
Next by Date: Re: grant / deny precedenceindraft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread