Re: Comments on aci-model-04

Could the fact that when group dnType is used, the target points to a
groupOfNames be documented in the draft?

Then I'm still lost on two related points. I'm still unsure of what constitutes
a role, and I'm wondering if there's a way to specify that the target is a
subtree.

Jim

>>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 10:51:02 PM >>>
David,
I think perhaps I didn't write myresponse clearly.  There is only
one type of group and it contains a group of names, e.g. groupOfNames object.
It is the name of the group that is typically placed on an access control
list (implementation) to state the access for the names (DNs) contained
in that group.
Ellen


At 02:25 PM 10/19/1999 +0100, David Chadwick wrote:
>
>>
>> In implementation, group and role tend to both be implemented as a group
>> of names. However, a group is just a collection of names where the group
>> name can be used to shorthand access to some object or attribute.
>
>Ellen,
>
>This is the bit I am objecting to, i.e. the attaching of two different
>semantics to group - one where the name of the group is a
>shorthand for the group e.g. o=ibm,c=us, - the other where the
>name of the group points to a group of names object where the
>enclosed names bear no relationship to the name of the group
>e.g.cn=ldapext, dc=netscape, dc=com.
>
>I therefore am proposing that you have two separate values for
>dntype, to reflect the differences. Lets call them subtree and group.
>
>David
>
>***************************************************
>
>David Chadwick
>IS Institute, University of Salford, Salford M5 4WT
>Tel +44 161 295 5351  Fax +44 161 745 8169
>Mobile +44 790 167 0359
>Email D.W.Chadwick@salford.ac.uk
>Home Page  http://www.salford.ac.uk/its024/chadwick.htm
>Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
>X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
>Entrust key validation string MLJ9-DU5T-HV8J
>
>***************************************************
>