At 12:44 PM 3/16/00 -0600, Ellen Stokes wrote:
>(EJS) I'll add back the list of attributes (e.g. attribute:
><attr>*). However,
>collection is still a valuable ease of administration concept. I understand
>that a new collection name that might only be known locally could be a
>concern, but implementation could code around it to say that if it's not
>understood, then it's not supported. I'd like to retain this
construct. Any
>other opinions?
The keyword "collection" indicates that the string that
follows describes a group of attributes. The method for
grouping attributes is server specific.
So what if two servers hosting a cover naming context have two
very differnet means for grouping attributes? Would not an
ACI replicated between two such servers which used a collection
understood by each, in its own way, cause the ACI to be evaluated
differently on each server?
This seems counter to "... one [an access control model] is needed
to ensure consistent secure access across heterogeneous LDAP
implementations." (p3)
How about you define a collection to be the set of attributes
allowed by an object class? An object class, after all, is
defined (in part) as a collection of allowed attributes.
[I've been thinking of experimenting with exactly this in
OpenLDAP-devel... I'll try to find the time to implement it.]