[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapACI: familyOID

To: d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com
Subject: ldapACI: familyOID
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Thu, 16 Mar 2000 12:38:01 -0600
Cc: djbyrne@us.ibm.com, blakley@dascom.com
In-reply-to: <E12VOW8-0001LQ-00@serv1.is1.u-net.net>
References: <4.2.2.20000315092530.00a2a9f0@popmail2.austin.ibm.com> <E12UfLH-0007EQ-00@serv1.is1.u-net.net>
Resent-date: Thu, 16 Mar 2000 10:36:10 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <y4OUEC.A.bTE.MmS04@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 12:51 AM 3/16/00 +0000, David Chadwick wrote:

Date forwarded: Wed, 15 Mar 2000 08:16:23 -0800 (PST) Date sent: Wed, 15 Mar 2000 10:15:28 -0600 To: d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com From: Ellen Stokes <stokes@austin.ibm.com> Subject: Re: please publish (draft-ietf-ldapext-acl-model-05.txt) Copies to: djbyrne@us.ibm.com, blakley@dascom.com Forwarded by: ietf-ldapext@netscape.com

> Responses embedded below and prefaced by (EJS)
> Ellen
>
> >Comments on ACL model 05
> >
> >i) I think it is extra clutter to have familyOID as the first
> >component of the ldapACI attribute type, and does not buy us
> >anything. If you want to define another set of permissions, then
> >simply give them a new attribute type (e.g. ldapACIv2) which is
> >itself an OID. It serves no good purpose to have one OID for the
> >ldapACI attribute then another OID for the family. You might as well
> >have just one OID that means precisely one set of permissions and
> >access control information.
>
> (EJS) We could do as you suggest, but I'd rather not.  I believe that
> it is better to have a single attribute known for ldap access control
> rather than proliferate more attributes for this purpose and let the
> family OID control  the remaining information.  This provides an
> application with one way of accessing access control information,
> although it may still have to parse out the information. If we start
> propagating different attributes for ldap access control, then it is
> difficult, if not impossible, for the application to know which ldap
> access control attribute it needs to invoke.

Sorry, I dont buy this, since the application will have to know all the
family OIDs if it is to be able to understand the meaning and content
of the aci. There is thus no difference between having to know the
OIDs of families or the OIDs of the attribute types. You have not
saved anything by nesting families in a single attribute type (other
than forcing them to all have the same syntax). Different code will be
needed for each family OID, just as different code will be needed if
it were different attribute types. Therefore I still believe the family
OID is just extra clutter that actually buys you nothing.


(EJS)  A case where family OID could be useful is where the current
ldapACI attribute permission set is just extended, such as for adding
get/set/manage/use (which we removed from this draft).  However, I
see both points of view.  So, comments on this topic, please,  What's
the consensus?

Follow-Ups:
- Re: ldapACI: familyOID
  - From: mcs@netscape.com (Mark C Smith)

References:
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>

Prev by Date: Re: ldapACI syntax and matching rules and more
Next by Date: Re: ldapACI: familyOID
Index(es):
- Chronological
- Thread