RE: LDAP subentry alignment with X.500 subentry

["Lloyd, Alan" <Alan.Lloyd@ca.com>]

The reason for ACI in subentries is that one can support the nested
directory admin model and make domain based ACI decisions over distributed
(X.500) DSAs. Whereas entry level ACI - may let a user do operations on the
directory using the directory resources only to find they are denied to do
these at the entry level (and on millions of other entries.. ie entry level
ACI is easy to implement - but a rally bad way of working in terms of system
level resource protection, large scale protected distributed systems - and
operationally hard to configure and manage..

ie. configuring entry level ACI for millions of entries - across many
servers - at the entry level takes time ... This process is also open to
having errors introduced where back door holes might be the result of
misconfiguration.  

If one adopts admin points and rules based configuration and deals with
large scale distributed directory entries - then the nested admin model is
best - simply becuase it does scale and is easier to operate with rules -
This approach also align with conventional management models used by
business ie top down. If an entry level aci is used - one must consider the
cost to configure and test, the use of directory resource before making the
actual ACI decision, the hierarchy of entries, their denials and permissions
and any alias derefencing...


as an example - say one has a distributed directory with 250 million entries
in it and one wanted to apply a new rule for a new set of users and business
services - for each entry... if an entry takes even half a minute to
configure.. the job will be a life time career...

regards alan




Stephen,

snip

However, I would also like to see a discussion of why we should put acis
into subentries rather than just store them as ldapACI attributes in
entries.  What are the pros and cons ?

Cheers,
Rob.

snip