Re: ACL model comments

[mcs@netscape.com (Mark C Smith)]

"Kurt D. Zeilenga" wrote:
> 
> Though I haven't had time to do a full review, I can offer
> a few comments:
> 
> Section 6.3
> 
> The 'aci' attribute is defined as a user, not operational,
> attribute type.  Besides being appropriate in terms of usage,
> this would allow this attribute type in any and all
> object classes.  If usage is left as user, you'd likely
> have to define an auxiliary objectclass to allow mix in
> or replace 'top' or something.

I agree that the attribute type used to store access control information
should be operational.  X.500's various access control attribute types
are defined with "USAGE directoryOperation" which seems right to me.

I would also like to see us choose a different name for the attribute
type.  An attribute called 'aci' has been used in the Netscape/iPlanet
Directory Server for several years now to hold proprietary access
control information.  See:

 
http://home.netscape.com/eng/server/directory/schema/attribu4.htm#1717762

I admit that 'aci' was not a good name for Netscape to use, but I
suggest we use a name like 'ldapACI' for the new standard scheme to
avoid confusion (unless someone else is already using that name too!).

-- 
Mark Smith
Directory Product Development / iPlanet E-Commerce Solutions
My words are my own, not my employer's.            Got LDAP?