[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP subentry alignment with X.500 subentry

To: "'Rob Byrne - Sun Microsystems'" <Robert.Byrne@France.Sun.COM>, "'Mark C Smith'" <mcs@netscape.com>
Subject: RE: LDAP subentry alignment with X.500 subentry
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Mon, 10 Jul 2000 13:07:22 +1000
Cc: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>, <ietf-ldapext@netscape.com>, <ietf-ldup@imc.org>, "'Ed Reed'" <eer@OnCallDBA.COM>
Importance: Normal
In-reply-to: <3966195F.E13E6B30@france.sun.com>

Rob,

> -----Original Message-----
> From: owner-ietf-ldup@mail.imc.org
> [mailto:owner-ietf-ldup@mail.imc.org]On Behalf Of Rob Byrne - Sun
> Microsystems
> Sent: Saturday, 8 July 2000 3:55
> To: Mark C Smith
> Cc: Kurt D. Zeilenga; ietf-ldapext@netscape.com; ietf-ldup@imc.org; Ed
> Reed
> Subject: Re: LDAP subentry alignment with X.500 subentry
> 
> 
> 
> Mark,
> 
> I would say that the complexity of the X.500 style specifier 
> would be a barrier
> to it's adoption for the LDAP access control model.
> So I would say some simplified subtree specifier would be 
> preferable (base,
> onelevel, subtree ?).

Would it be acceptable to use the X.500 SubtreeSpecification but
constrain it for use in LDAP ? I would rather deal with a subset of
existing functionality than a separate mechanism to do the same thing.
It would also provide an obvious upgrade path in future versions of LDAP
by relaxing the constraints, if it proves desirable.

The simple subtree specifier above would be equivalent to providing
only the "minimum" or "maximum" component of a ChopSpecification, e.g.

base equates to "{ maximum 0 }"
onelevel equates to "{ minimum 1, maximum 1 }" or maybe "{ maximum 1 }"
subtree equates to "{ }"

All other fields being absent.

Regards,
Steven

> 
> Even ignoring the subtree specifier there are cons associated 
> with  putting acis
> into subentries compared to just storing them as 
> attributes--for example you need
> to control access to the subentries which, becuase subentries 
> do not behave like
> ordinary entries, requires at least one additional aci 
> attribute (something like
> entryACI or subEntryACI).
> 
> Rob.
> 
> Mark C Smith wrote:
> 
> >
> > > I primarily make these suggestions because I believe 
> these changes would
> > > make subentries within LDAP more usable, in particular, 
> when used in
> > > support of the access control model.
> >
> > Interesting.  Before we throw out the simple LDAPsubentry 
> that Ed has
> > defined, I think someone should list the additional 
> requirements that
> > are needed for the access control effort to successfully 
> use subentries.
> >
> > --
> > Mark Smith
> > iPlanet
> 
>

Follow-Ups:
- Re: LDAP subentry alignment with X.500 subentry
  - From: Rob Byrne - Sun Microsystems <Robert.Byrne@france.Sun.COM>

References:
- Re: LDAP subentry alignment with X.500 subentry
  - From: Rob Byrne - Sun Microsystems <Robert.Byrne@france.Sun.COM>

Prev by Date: Re: String Encodings - was RE: Applicability Stmt (AS) rescinding "IESG Note" and defining "LDAPv3"
Next by Date: RE: String Encodings - was RE: Applicability Stmt (AS) rescinding "IESG Note" and defining "LDAPv3"
Index(es):
- Chronological
- Thread