[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapACI and attribute subtypes

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: ldapACI and attribute subtypes
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 16 Mar 2000 14:23:25 -0800
Cc: ietf-ldapext@netscape.com
In-reply-to: <4.2.2.20000316124823.00a256a0@popmail2.austin.ibm.com>
References: <3.0.5.32.20000315184429.0091e100@infidel.boolean.net> <4.2.2.20000315092530.00a2a9f0@popmail2.austin.ibm.com> <E12UfLH-0007EQ-00@serv1.is1.u-net.net> <4.2.2.20000310133633.00a451c0@popmail2.austin.ibm.com>
Resent-date: Thu, 16 Mar 2000 14:23:48 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <t2b9bB.A.4G.n7V04@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 01:11 PM 3/16/00 -0600, Ellen Stokes wrote:
>>How does a ACL granting access to an attribute types superior affect
>>access the attribute type?  Ie: does granting access to 'name'
>>allow access to 'cn'?
>
>(EJS) No, schema hierarchy will be independent of access control
>inheritance for now; we should look at this again in the future after
>we get this draft to RFC.
>
>>I see that ACLs on attribute subtypes (cn;lang-US) are disallowed.
>>Is this intentional?  If so, why?  If not, any syntax issues due
>>to the attribute description's ';'(s) (could have more than one).
>
>(EJS) It was not our intention to disallow (I didn't even think we stated
>explicitly we disallowed it).  So, I'll add wording to make sure it's
>understand that it is allowed.  I'll also change some of the separators
>in the BNF so there is not misunderstanding of parsing when ';' is used.
>Good catch.

Given these two statements I would assume that an ACL for
a bare attribute type does NOT apply to subtypes of that
attribute including those distinguished only by a combination
of attribute description options.

I believe that if you allow subtyping at all, you should
allow both subtyping by 'sup' and by attribute description
options.  I personally think that ACI with subtype support
are extermely powerful, easy to manage, and (depending on
implementation) not expensive in terms of evaluation
processing, and fairly easy to implement (depending upon
server design).

To not support subtyping would place a significant burden
on directory manager to establish ACIs for all possible
subtypes.  Given the nature of some subtypes (like language
tags subtypes and combined attribute description option
subtypes), this can increase the number of ACIs needed.

References:
- ldapACI syntax and matching rules and more
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: ldapACI syntax and matching rules and more
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Re: ldapACI syntax and matching rules and more
Next by Date: Re: Comments on the ACL Model draft
Index(es):
- Chronological
- Thread