[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP subentry alignment with X.500 subentry
Mark,
I would say that the complexity of the X.500 style specifier would be a barrier
to it's adoption for the LDAP access control model.
So I would say some simplified subtree specifier would be preferable (base,
onelevel, subtree ?).
Even ignoring the subtree specifier there are cons associated with putting acis
into subentries compared to just storing them as attributes--for example you need
to control access to the subentries which, becuase subentries do not behave like
ordinary entries, requires at least one additional aci attribute (something like
entryACI or subEntryACI).
Rob.
Mark C Smith wrote:
>
> > I primarily make these suggestions because I believe these changes would
> > make subentries within LDAP more usable, in particular, when used in
> > support of the access control model.
>
> Interesting. Before we throw out the simple LDAPsubentry that Ed has
> defined, I think someone should list the additional requirements that
> are needed for the access control effort to successfully use subentries.
>
> --
> Mark Smith
> iPlanet