[Date Prev][Date Next] [Chronological] [Thread] [Top]

re:draft-ietf-ldapext-acl-model-05

To: ietf-ldapext@netscape.com
Subject: re:draft-ietf-ldapext-acl-model-05
From: Kyungae_Lim@iris.com
Date: Mon, 20 Mar 2000 13:48:05 -0500
Resent-date: Mon, 20 Mar 2000 10:45:39 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <UKsNHB.A.0sG.CHn14@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

I have a few questions after the first reading:

On page 11:
"..... If the server does not support partial inheritance and both the
entry and subtree scope are used, then entry is the prevailing scope".

What does this mean, especially "partial inheritance"?


On page 14, about browseDN
.."To do the search, browse (b) must be set for the entry (you can search
only entries
             that you have permission to search so you can't discover
             things you don't have permission to)..."

If the user does not have browseDN on the base "o=XYZ", but has the
permission on "ou=dept ABC,ou=hr,o=XYZ", should ldap_search with the base
"o=XYZ"
1) fail - user can't browse on "o=XYZ", nor "ou=hr,o=XYZ", therefore can't
discover "ou=dept ABC,ou=hr,o=XYZ"
or
2) succeed and return information about "ou=dept ABC,..."?
Which one would be the intended behavior of this permission?

On page 15-16, collection and attribute
I, too, would like to see the multi-attribute syntax restored from the
version 4.

On page 22, there is an example of ldamodify - delete syntax.

"Given an ACI of:

           ldapACI: 1.2.3.4#subtree#grant;r,w;
                      collection:[all]#group#cn=Dept XYZ
           ldapACI: 1.2.3.4#subtree#grant;r;
                      attribute:attr1#group#cn=Dept XYZ

            dn: cn = some Entry
            changetype: modify
            delete: ldapACI
            ldapACI: 1.2.3.4#subtree#grant;r;
                       attribute:attr1#group#cn=Dept XYZ

          would yield a remaining ACI on the server of

          ldapACI: 1.2.3.4#subtree#grant;r,w;
                     collection:[all]#group#cn=Dept XYZ"

Given the same ACI, what would the result if the input to modify-delete is:
           ldapACI:1.2.3.4#subtree#grant;r;collection:[all]#group#cn=Dept
XYZ

Will the operation fail( no exact match), or will it return

 ldapACI: 1.2.3.4#subtree#grant;w;collection:[all]#group#cn=Dept XYZ (w
instead of r,w)
 ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1#group#cn=Dept XYZ

What would be result if the input is:

ldapACI:1.2.3.4#subtree#grant;w;attribute:attr1#group#cn=DeptXYZ?


On page 29,  the "public" DN is for setting access to all users.   Have you
considered to support another DN to represent "authenticated" users, to
differentiate "authenticated" from "unauthenticated"?

Prev by Date: Self-Reliance...
Next by Date: TLS graceful closure
Index(es):
- Chronological
- Thread