[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Comments on the ACL Model draft
Thanks. Now I understand what the "*" for subjectDn means. It would
be helpful to include your explanation in the document.
It does seem that "*" might result in HUGE responses in some fairly
common situations. For example, if the ACI contains a dnType "subtree"
for a reasonably large part of the tree, wouldn't the response need to
contain every DN in that subtree?
Rick Huber
: From: djbyrne@us.ibm.com
: To: rvh@qsun.mt.att.com
: cc: blakley@dascom.com, ietf-ldapext@netscape.com,
: Ellen Stokes <stokes@austin.ibm.com>
: Subject: RE: Comments on the ACL Model draft
:
:
:
:
: My responses prefaced with < djb >
:
: Page 26
:
: TECHNICAL:
:
: subjectDN LDAPString | "public" |
: "this" | "*"
:
: What does it mean to getEffectiveRights for "everyone who has access to
: the entry" (definition of "*" on Page 25)? Return all the ACIs? All
: possible subject DNs can't be known. And if all the ACIs are desired
: it would be simpler to just read the ldapACI attribute.
:
: < djb > * is intended to return the effective access for all DNs which are
: defined within the ACI. This is different from simply reading the ACI b/c
: it does the expansions and evaluations of grant / deny / group memberships
: etc and returns the granted rights after evaluation.
:
:
: Page 28:
:
: TECHNICAL:
:
: dnType "access-id"|"group"|
: "role"|"ipAddress"|
: "kerberosID"|
: <printableString> |
: "*",
: ^^^
: subjectDN LDAPString | "public" |
: "this" | "*"
: ^^^
:
: What would it mean to return "*" as part of the RESPONSE to
: getEffectiveRights? Isn't a separate PartialEffectiveRightsList
: element needed for each dnType in the response? If "*" is part of the
: query, shouldn't the various elements of the response indicate which
: specific dnType they refer to rather than repeating the "*"? When
: would "*" be returned? And it is even less clear what "*" means for
: in the response for subjectDN.
:
:
: We note that the "*" is not allowed in the
: ldapGetEffectiveRightsResponse on Page 31. Was it left in
: PartialEffectiveRightsList by accident?
:
: < djb > Yes, it should be removed from the response
:
:
: Thanks,
:
: Debora Byrne
: Manager Secure Way Directory Config / User Interface
: INet: djbyrne@us.ibm.com
: Phone: (512)838-1930 ( T/L 678 )