Re: please publish (draft-ietf-ldapext-acl-model-05.txt)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:51 AM 3/16/00 -0000, David Chadwick wrote:
>Date forwarded: 	Wed, 15 Mar 2000 08:16:23 -0800 (PST)
>Date sent:      	Wed, 15 Mar 2000 10:15:28 -0600
>To:             	d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com
>From:           	Ellen Stokes <stokes@austin.ibm.com>
>Subject:        	Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
>Copies to:      	djbyrne@us.ibm.com, blakley@dascom.com
>Forwarded by:   	ietf-ldapext@netscape.com
>
>> Responses embedded below and prefaced by (EJS)
>> Ellen
>>
>> >Comments on ACL model 05
>> >
>> >i) I think it is extra clutter to have familyOID as the first
>> >component of the ldapACI attribute type, and does not buy us
>> >anything. If you want to define another set of permissions, then
>> >simply give them a new attribute type (e.g. ldapACIv2) which is
>> >itself an OID. It serves no good purpose to have one OID for the
>> >ldapACI attribute then another OID for the family. You might as well
>> >have just one OID that means precisely one set of permissions and
>> >access control information.
>> 
>> (EJS) We could do as you suggest, but I'd rather not.  I believe that
>> it is better to have a single attribute known for ldap access control
>> rather than proliferate more attributes for this purpose and let the
>> family OID control  the remaining information.  This provides an
>> application with one way of accessing access control information,
>> although it may still have to parse out the information. If we start
>> propagating different attributes for ldap access control, then it is
>> difficult, if not impossible, for the application to know which ldap
>> access control attribute it needs to invoke.
>
>Sorry, I dont buy this, since the application will have to know all the 
>family OIDs if it is to be able to understand the meaning and content 
>of the aci. There is thus no difference between having to know the 
>OIDs of families or the OIDs of the attribute types. You have not 
>saved anything by nesting families in a single attribute type (other 
>than forcing them to all have the same syntax). Different code will be 
>needed for each family OID, just as different code will be needed if 
>it were different attribute types. Therefore I still believe the family 
>OID is just extra clutter that actually buys you nothing.

I concur with David.  In particular, I do not think the ACI families
we conjure up tomorrow should be limited to today's attribute type
definition.  Tomorrow's ACI families may require unthought of
syntaxes and matching rules.

>> >v) In my comments to version 4, I mentioned that delete permission
>> >for attribute values could be needed, as with Modify Entry you both
>> >add values and delete values and replace values (I took your write
>> >values permission to mean add). With separate permissions you can
>> >allow some people to add, some to delete, and some to do both. You
>> >said you would look into it, but I don't remember your reply to this.
>> >I would suggest changing "write" to "add", and adding "delete".
>> 
>> (EJS) The write (w) permission is for the ldap_modify operation where
>> that single operation allows add, delete, and replace.  We can
>> certainly change this so that write permission is broken into two
>> permissions (add and delete) where replace requires both add and
>> delete.  Proposed permissions for this change are 'w' for write/add
>> and 'o' for write/delete (obliterate) where write/replace operation
>> requires both w and o to be set.  The question in doing this is do
>> people/applications really make this fine of a distinction in write
>> permissions, for example where someone may write/add but not
>> write/delete (and vice-versa)? Comments?  What's the consensus here?
>
>Ellen I think this is the best way forward, to see what people actually 
>want. I was raising the topic for precisely that reason.

Personally, I'd prefer attribute modify operation be control by a
single permission.  However, if the consensus is to have finer grained
control, I suggest breaking into three permissions which relate directly
to modify/add, modify/replace, and modify/delete operations.

>> >vi) Why can an acl entry only confer multiple rights on a single
>> >attribute name. I would have expected <attr> to allow multiple
>> >attribute names within it. (Version 4 allowed this.) Your later
>> >example shows the ldapACI being repeated in order to give SysAdmins
>> >access to attr2 and attr3. Why was the restriction introduced?
>> 
>> (EJS)  Several people complained that the syntax was too complicated
>> and hence the restriction.  We can certainly remove the restriction so
>> attribute: can have one or more attributes.  So you can then specify a
>> grouping of attributes by collection: <collectionname> or by
>> attribute: <attr>*. Comments?  What's the consensus here?
>
>Again this seems to be the best way forward, lets get some opinions. 
>I would argue for allowing multiple attribute types, rather than 
>inventing a new collectionname that is only locally known and has to 
>be broadcase to applications for them to understand it.

I think a list of attributes should be allowed and that collections
concept dropped.