[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI: collection and attribute list

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Re: ldapACI: collection and attribute list
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 16 Mar 2000 18:17:46 -0800
Cc: d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com, djbyrne@us.ibm.com, blakley@dascom.com
In-reply-to: <4.2.2.20000316123923.00a11410@popmail2.austin.ibm.com>
References: <3.0.5.32.20000315173053.00922100@infidel.boolean.net> <E12VOW8-0001LQ-00@serv1.is1.u-net.net> <4.2.2.20000315092530.00a2a9f0@popmail2.austin.ibm.com> <E12UfLH-0007EQ-00@serv1.is1.u-net.net>
Resent-date: Thu, 16 Mar 2000 18:18:10 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <FVDPZC.A.uzG.ZXZ04@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 12:44 PM 3/16/00 -0600, Ellen Stokes wrote:
>(EJS)  I'll add back the list of attributes (e.g. attribute: 
><attr>*).  However,
>collection is still a valuable ease of administration concept.  I understand
>that a new collection name that might only be known locally could be a
>concern, but implementation could code around it to say that if it's not
>understood, then it's not supported.  I'd like to retain this construct.  Any
>other opinions?

             The keyword "collection" indicates that the string that
             follows describes a group of attributes.  The method for
             grouping attributes is server specific.

So what if two servers hosting a cover naming context have two
very differnet means for grouping attributes?  Would not an
ACI replicated between two such servers which used a collection
understood by each, in its own way, cause the ACI to be evaluated
differently on each server?

This seems counter to "... one [an access control model] is needed
to ensure consistent secure access across heterogeneous LDAP
implementations." (p3)

How about you define a collection to be the set of attributes
allowed by an object class?   An object class, after all, is
defined (in part) as a collection of allowed attributes.

[I've been thinking of experimenting with exactly this in
OpenLDAP-devel... I'll try to find the time to implement it.]

Follow-Ups:
- Re: ldapACI: collection and attribute list
  - From: Ellen Stokes <stokes@austin.ibm.com>

References:
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- ldapACI: collection and attribute list
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Life Is Too Valuable To Waste
Next by Date: RE: Comments on the ACL Model draft
Index(es):
- Chronological
- Thread