Re: LDAP subentry alignment with X.500 subentry

[mcs@netscape.com (Mark C Smith)]

"Kurt D. Zeilenga" wrote:
> 
> I believe 'LDAPsubentry' should be replaced with with 'subentry' and
> defined such that it closely modelled after X.500.
> 
> 1) subentries should have a subtree specifier such that they are more
> useful for specification of ACI subentries.

The X.500 subtree specifier is rich and therefore fairly complex to
implement.  That doesn't mean we shouldn't adopt it, but it does mean we
should consider the impact.


> 2) subentries should be visible based upon presence of a subentries control,
> not a filter components.  For example:
>   (|(&(objectclass=LDAPsubentry)(!(cn=*))(objectclass=*))
> 
> Should the subentry be visible or not?   There are reasonable arguments
> for both yes and no.

But controls are of course more costly for clients and servers to
implement.  What problem are you trying to solve?  As currently defined,
clients that have knowledge of LDAPsubentries can retrieve them and
those that do not won't.  That meets my needs.



> I primarily make these suggestions because I believe these changes would
> make subentries within LDAP more usable, in particular, when used in
> support of the access control model.

Interesting.  Before we throw out the simple LDAPsubentry that Ed has
defined, I think someone should list the additional requirements that
are needed for the access control effort to successfully use subentries.

--
Mark Smith
iPlanet