[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL model comments

To: ietf-ldapext@netscape.com
Subject: ACL model comments
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 14 Feb 2000 21:57:08 -0800
Resent-date: Mon, 14 Feb 2000 22:07:02 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <4A4F7B.A.ToC.5zOq4@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Though I haven't had time to do a full review, I can offer
a few comments:

Section 6.3

The 'aci' attribute is defined as a user, not operational,
attribute type.  Besides being appropriate in terms of usage,
this would allow this attribute type in any and all
object classes.  If usage is left as user, you'd likely
have to define an auxiliary objectclass to allow mix in
or replace 'top' or something.

The EQUALITY matching rule should be specific to the ACI
Syntax and able to determine that that two strings, not
equal by caseExactMatch, yet same per the ACI syntax.

For example:
    aci: 1.2.3.4#subtree#grant;r;cn#group#cn=Dept XYZ
    aci: 1.2.3.5#subtree#grant;r;2.5.4.3#group#cn=Dept XYZ

(cn == 2.5.4.3)

Section 6.3.1  LDAP Operations (Modify/delete)
    Deleting the last ACI value from an entry is not the same as
    deleting the ACI from the entry.

This seems to imply behavior inconsistent with RFC 2251, 4.6.
    It is possible for an entry to contain an ACI with no values.

An attribute type, if instatiated, must have values.  Though
you state not storage means, I believe it important to follow
the basic LDAP information model to ensure the information
is representatable by the protocol and interchange formats.

Section 6.4.2
         Replace works similarly to all other attributes.

This implies that other modifications do not work similiarly to
all other attributes.  I believe that all modifications should be
consistent with the defined semantics of Modify operation.

6.5 VendorACI

Like 'aci', it should be operational.  Also, it should have a
matching rule defined which understands how to match strings
of vendor ACI syntax.  Defining this seems problematic, but
could be be defined, I guess, in generic terms.  Howeer, if
the directory contains vendorACIs from multiple vendors, you
have a problem.  But these problems exist even as presently
defined.  I suggest not defining this and just stating that
vendors can define their own attribute types to contain
Access Control Information.  They'll like do this anyways.

Follow-Ups:
- Re: ACL model comments
  - From: mcs@netscape.com (Mark C Smith)

Prev by Date: Re: Vendor Info
Next by Date: HOT OPENINGS IN AUSTIN, TEXAS!!!
Index(es):
- Chronological
- Thread