[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[no subject]
****** MESSAGE DAMAGED IN TRANSIT ******
Received: from threadgill.austin.innosoft.com ([207.8.108.5])
by INNOSOFT.COM (PMDF V5.2-32 #30494)
with ESMTP id <01JHCUSJ6UN88Y77N5@INNOSOFT.COM> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 12:00:49 PDT
Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47])
by austin.innosoft.com (PMDF V5.2-31 #13579)
with ESMTP id <0FJW00602XVON5@austin.innosoft.com> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 12:57:25 -0500 (CDT)
Received: from aka.mcom.com (aka.mcom.com [205.217.237.180])
by netscape.com (8.8.5/8.8.5) with ESMTP id KAA26339 for
<ldapext-archive@critical-angle.com>; Wed, 20 Oct 1999 10:57:22 -0700 (PDT)
Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3)
id KAA18904 for ldapext-archive@critical-angle.com; Wed,
20 Oct 1999 10:57:06 -0700 (PDT)
Date: Wed, 20 Oct 1999 12:00:49 -0700 (PDT)
Date-warning: Date header was inserted by INNOSOFT.COM
From: list@netscape.com
To: ldapext-archive@pipe.thor.innosoft.com
Message-id: <01JHCUSJ9R6U8Y77N5@INNOSOFT.COM>
****** MESSAGE DAMAGED IN TRANSIT ******
Received: from threadgill.austin.innosoft.com ([207.8.108.5])
by INNOSOFT.COM (PMDF V5.2-32 #30494)
with ESMTP id <01JHCUSJ6UN88Y77N5@INNOSOFT.COM> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 12:00:50 PDT
Received: from THOR.INNOSOFT.COM (THOR.INNOSOFT.COM [192.160.253.66])
by austin.innosoft.com (PMDF V5.2-31 #13579)
with ESMTP id <0FJW00604YURP7@austin.innosoft.com> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 13:18:28 -0500 (CDT)
Received: from netscape.com ([205.217.237.47])
by INNOSOFT.COM (PMDF V5.2-32 #30494)
with ESMTP id <01JHCT677LXE8Y76I8@INNOSOFT.COM> for
ldapext-archive@critical-angle.com; Wed, 20 Oct 1999 11:14:35 -0700 (PDT)
Received: from aka.mcom.com (aka.mcom.com [205.217.237.180])
by netscape.com (8.8.5/8.8.5) with ESMTP id LAA02329 for
Date: Wed, 20 Oct 1999 12:00:50 -0700 (PDT)
Date-warning: Date header was inserted by INNOSOFT.COM
From: list@netscape.com
To: ldapext-archive@pipe.thor.innosoft.com
Message-id: <01JHCUSK4FYQ8Y77N5@INNOSOFT.COM>
****** MESSAGE DAMAGED IN TRANSIT ******
Received: from threadgill.austin.innosoft.com ([207.8.108.5])
by INNOSOFT.COM (PMDF V5.2-32 #30494)
with ESMTP id <01JHCUSJ6UN88Y77N5@INNOSOFT.COM> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 12:00:50 PDT
Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47])
by austin.innosoft.com (PMDF V5.2-31 #13579)
with ESMTP id <0FJW00604YO9OU@austin.innosoft.com> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 13:14:34 -0500 (CDT)
Received: from aka.mcom.com (aka.mcom.com [205.217.237.180])
by netscape.com (8.8.5/8.8.5) with ESMTP id LAA02329 for
<ldapext-archive@critical-angle.com>; Wed, 20 Oct 1999 11:14:23 -0700 (PDT)
Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3)
id LAA26246 for ldapext-archive@critical-angle.com; Wed,
20 Oct 1999 11:14:23 -0700 (PDT)
Date: Wed, 20 Oct 1999 12:00:50 -0700 (PDT)
Date-warning: Date header was inserted by INNOSOFT.COM
From: list@netscape.com
To: ldapext-archive@pipe.thor.innosoft.com
Message-id: <01JHCUSJW6CU8Y77N5@INNOSOFT.COM>
****** MESSAGE DAMAGED IN TRANSIT ******
Received: from threadgill.austin.innosoft.com ([207.8.108.5])
by INNOSOFT.COM (PMDF V5.2-32 #30494)
with ESMTP id <01JHCXYHPGHW8Y77N5@INNOSOFT.COM> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 13:31:55 PDT
Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47])
by austin.innosoft.com (PMDF V5.2-32 #41296)
with ESMTP id <0FJX00715511FY@austin.innosoft.com> for
ldapext-archive@pipe.thor.innosoft.com
(ORCPT rfc822;ldapext-archive@critical-angle.com); Wed,
20 Oct 1999 15:31:54 -0500 (CDT)
Received: from aka.mcom.com (aka.mcom.com [205.217.237.180])
by netscape.com (8.8.5/8.8.5) with ESMTP id NAA12101 for
<ldapext-archive@critical-angle.com>; Wed, 20 Oct 1999 13:31:47 -0700 (PDT)
Received: (from list@localhost) by aka.mcom.com (8.8.5/8.7.3)
id NAA08450 for ldapext-archive@critical-angle.com; Wed,
20 Oct 1999 13:31:47 -0700 (PDT)
Resent-date: Wed, 20 Oct 1999 13:31:47 -0700 (PDT)
Date: Wed, 20 Oct 1999 14:31:20 -0600
Resent-from: ietf-ldapext@netscape.com
From: Jim Sermersheim <JIMSE@novell.com>
Subject: Re: Comments on aci-model-04
Resent-sender: ietf-ldapext-request@netscape.com
To: djbyrne@us.ibm.com
Cc: stokes@austin.ibm.com, ietf-ldapext@netscape.com, d.w.chadwick@salford.ac.uk
Resent-message-id: <"N5VqTB.A.B-B.laiD4"@glacier>
Message-id: <s80dd233.025@prv-mail20.provo.novell.com>
MIME-version: 1.0
X-Mailer: Novell GroupWise 5.5.2
Content-type: text/plain; charset=US-ASCII
Content-disposition: inline
Content-transfer-encoding: quoted-printable
Precedence: list
X-Loop: ietf-ldapext@netscape.com
X-Mailing-List: <ietf-ldapext@netscape.com>
>>> <djbyrne@us.ibm.com> 10/20/99 12:11:08 PM >>>
>> Could the fact that when group dnType is used, the target points to a
>groupOfNames be documented in > the draft?
>
>I think I'd prefer to simply add a statement that says group refers to an =
object
>which holds a collection of member DNs. I don't want to restrict =
implementations
>to using the groupOfNames objectclass if we don't have to. Is that =
enough?
I still worry that it's too ambiguous. How do I implement a server that =
can intuit the construction of an object which is only said to be a =
collection of DNs, especially when trying to interoperate in a heterogeneou=
s environment? Do I examine each attribute for values that look like DNs =
ands assume they're all part of the group? Do I assume that there's a =
'reverse membership' involved, so I search the entire directory for any =
entry matching name=3D<DN of group>? Neither of these, nor any other =
method I can think of makes me feel like I'm going to chance upon the =
actual intent of the originating implementation that this data came from. =
Unless there's some consistent way of discovering exactly who is a member =
of the group, I'd rather it be a well known object class (or derivative).
>> Then I'm still lost on two related points. I'm still unsure of what
>constitutes a role, and I'm > > > wondering if there's a way to specify =
that the
>target is a subtree.
>
>We can certainly consider adding something that represents something of =
type
>'subtree' ( vs group or access-id ).
Thanks.
>Let me try another stab at role vs group definition. In the strict =
defintion,
>roles and groups are both collections of DNs. So, on the surface, they =
are the
>same. My understanding is that in the security world, there is a slight
>difference; not in implemenation, but in expectation. When a user is =
added to a
>group that's all there is to it; he's now a member of 'Monday football
>announcements' ( or whatever ). However, when the user is added to a =
role, there
>is some expectation that he will receive certain permissions as a member =
of that
>role. For instance, when a user is added to an 'Adminstrator' group, =
(s)he would
>expect to have access to particular files, queues etc. ( It is still up =
to the
>system administrator to ensure those expectations are met )
I'm still not seeing the difference (sorry). From the perspective of ACLs, =
they seem the same to me. From reading the draft, I had the impression =
that the difference between a group and a role is that you are included in =
a group (by the inclusion of your DN), and you identify yourself as =
performing a role by presenting some role based credentials or something. =
I didn't get the feeling that a role was represented by an object which =
contained a set of DN's.
Jim