[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Comments on the ACL Model draft
My responses prefaced with < djb >
Page 26
TECHNICAL:
subjectDN LDAPString | "public" |
"this" | "*"
What does it mean to getEffectiveRights for "everyone who has access to
the entry" (definition of "*" on Page 25)? Return all the ACIs? All
possible subject DNs can't be known. And if all the ACIs are desired
it would be simpler to just read the ldapACI attribute.
< djb > * is intended to return the effective access for all DNs which are
defined within the ACI. This is different from simply reading the ACI b/c
it does the expansions and evaluations of grant / deny / group memberships
etc and returns the granted rights after evaluation.
Page 28:
TECHNICAL:
dnType "access-id"|"group"|
"role"|"ipAddress"|
"kerberosID"|
<printableString> |
"*",
^^^
subjectDN LDAPString | "public" |
"this" | "*"
^^^
What would it mean to return "*" as part of the RESPONSE to
getEffectiveRights? Isn't a separate PartialEffectiveRightsList
element needed for each dnType in the response? If "*" is part of the
query, shouldn't the various elements of the response indicate which
specific dnType they refer to rather than repeating the "*"? When
would "*" be returned? And it is even less clear what "*" means for
in the response for subjectDN.
We note that the "*" is not allowed in the
ldapGetEffectiveRightsResponse on Page 31. Was it left in
PartialEffectiveRightsList by accident?
< djb > Yes, it should be removed from the response
Thanks,
Debora Byrne
Manager Secure Way Directory Config / User Interface
INet: djbyrne@us.ibm.com
Phone: (512)838-1930 ( T/L 678 )
Ellen Stokes <stokes@austin.ibm.com> on 03/17/2000 09:00:38 AM