[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI: collection and attribute list

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ldapACI: collection and attribute list
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Tue, 21 Mar 2000 07:42:16 -0600
Cc: d.w.chadwick@salford.ac.uk, ietf-ldapext@netscape.com, djbyrne@us.ibm.com, blakley@dascom.com
In-reply-to: <3.0.5.32.20000316181746.00914c30@infidel.boolean.net>
References: <4.2.2.20000316123923.00a11410@popmail2.austin.ibm.com> <3.0.5.32.20000315173053.00922100@infidel.boolean.net> <E12VOW8-0001LQ-00@serv1.is1.u-net.net> <4.2.2.20000315092530.00a2a9f0@popmail2.austin.ibm.com> <E12UfLH-0007EQ-00@serv1.is1.u-net.net>
Resent-date: Tue, 21 Mar 2000 05:40:34 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <jOZTvB.A.eeD.Hv314@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 06:17 PM 3/16/00 -0800, Kurt D. Zeilenga wrote:

At 12:44 PM 3/16/00 -0600, Ellen Stokes wrote: >(EJS) I'll add back the list of attributes (e.g. attribute: ><attr>*). However, >collection is still a valuable ease of administration concept. I understand >that a new collection name that might only be known locally could be a >concern, but implementation could code around it to say that if it's not >understood, then it's not supported. I'd like to retain this construct. Any >other opinions?
             The keyword "collection" indicates that the string that
             follows describes a group of attributes.  The method for
             grouping attributes is server specific.
So what if two servers hosting a cover naming context have two
very differnet means for grouping attributes?  Would not an
ACI replicated between two such servers which used a collection
understood by each, in its own way, cause the ACI to be evaluated
differently on each server?
This seems counter to "... one [an access control model] is needed
to ensure consistent secure access across heterogeneous LDAP
implementations." (p3)
How about you define a collection to be the set of attributes
allowed by an object class?   An object class, after all, is
defined (in part) as a collection of allowed attributes.
[I've been thinking of experimenting with exactly this in
OpenLDAP-devel... I'll try to find the time to implement it.]


(EJS)  Kurt,  One possible solution to this (and I certainly haven't
thought this all the way through, but building on your thoughts) might
be to define a 'collection' class whose attribute is, for example, called
'list' which contains a list of the attributes in that collection.  One could
then subclass to define new collections, but this class would never be
instantiated in the directory - I would view it as a 'meta' class or schema
definition.  Is this what you had in mind?

Ellen

Follow-Ups:
- Re: ldapACI: collection and attribute list
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- ldapACI: collection and attribute list
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: Ellen Stokes <stokes@austin.ibm.com>
- Re: please publish (draft-ietf-ldapext-acl-model-05.txt)
  - From: David Chadwick <d.w.chadwick@salford.ac.uk>
- Re: ldapACI: collection and attribute list
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: ldapACI permissions
Next by Date: Re: ldapACI: collection and attribute list
Index(es):
- Chronological
- Thread