[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Comments on the ACL Model draft

To: djbyrne@us.ibm.com
Subject: RE: Comments on the ACL Model draft
From: rvh@qsun.mt.att.com (Richard V Huber)
Date: Fri, 17 Mar 2000 13:33:15 -0500
Cc: blakley@dascom.com, ietf-ldapext@netscape.com, stokes@austin.ibm.com
Resent-date: Fri, 17 Mar 2000 10:34:11 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <CENSdB.A.pfF.Sqn04@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Thanks.  Now I understand what the "*" for subjectDn means.  It would
be helpful to include your explanation in the document.

It does seem that "*" might result in HUGE responses in some fairly
common situations.  For example, if the ACI contains a dnType "subtree"
for a reasonably large part of the tree, wouldn't the response need to
contain every DN in that subtree?

Rick Huber

: From: djbyrne@us.ibm.com
: To: rvh@qsun.mt.att.com
: cc: blakley@dascom.com, ietf-ldapext@netscape.com,
:         Ellen Stokes <stokes@austin.ibm.com>
: Subject: RE: Comments on the ACL Model draft
: 
: 
: 
: 
: My responses prefaced with < djb >
: 
: Page 26
: 
: TECHNICAL:
: 
:                     subjectDN     LDAPString | "public" |
:                                     "this" |  "*"
: 
: What does it mean to getEffectiveRights for "everyone who has access to
: the entry" (definition of "*" on Page 25)?  Return all the ACIs?  All
: possible subject DNs can't be known.  And if all the ACIs are desired
: it would be simpler to just read the ldapACI attribute.
: 
: < djb > * is intended to return the effective access for all DNs which are
: defined within the ACI. This is different from simply reading the ACI b/c
: it does the expansions and evaluations of grant / deny / group memberships
: etc and returns the granted rights after evaluation.
: 
: 
: Page 28:
: 
: TECHNICAL:
: 
:                  dnType        "access-id"|"group"|
:                                 "role"|"ipAddress"|
:                                 "kerberosID"|
:                                 <printableString> |
:                                 "*",
:                                 ^^^
:                  subjectDN     LDAPString | "public" |
:                                     "this" | "*"
:                                              ^^^
: 
: What would it mean to return "*" as part of the RESPONSE to
: getEffectiveRights?  Isn't a separate PartialEffectiveRightsList
: element needed for each dnType in the response?  If "*" is part of the
: query, shouldn't the various elements of the response indicate which
: specific dnType they refer to rather than repeating the "*"?  When
: would "*" be returned?  And it is even less clear what "*" means for
: in the response for subjectDN.
: 
: 
: We note that the "*" is not allowed in the
: ldapGetEffectiveRightsResponse on Page 31.  Was it left in
: PartialEffectiveRightsList by accident?
: 
: < djb > Yes, it should be removed from the response
: 
: 
: Thanks,
: 
: Debora Byrne
: Manager Secure Way Directory Config / User Interface
: INet: djbyrne@us.ibm.com
: Phone: (512)838-1930 ( T/L 678 )

Prev by Date: RE: Comments on the ACL Model draft
Next by Date: LDAPEXT revised agenda
Index(es):
- Chronological
- Thread