[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP subentry alignment with X.500 subentry

To: <Albert.Langer@directory-designs.org>
Subject: RE: LDAP subentry alignment with X.500 subentry
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Mon, 17 Jul 2000 13:08:52 +1000
Cc: <ietf-ldup@imc.org>, <ietf-ldapext@netscape.com>
Importance: Normal
In-reply-to: <001701bfed6c$c3a0a800$17448490@vic.bigpond.net.au>

Albert,

> -----Original Message-----
> From: owner-ietf-ldup@mail.imc.org
> [mailto:owner-ietf-ldup@mail.imc.org]On Behalf Of Albert Langer
> Sent: Friday, 14 July 2000 18:23
> To: Robert.Byrne@France.Sun.COM; Alan.Lloyd@ca.com; Ron.Ramsay@ca.com;
> ietf-ldapext@netscape.com
> Cc: ietf-ldup@imc.org
> Subject: RE: LDAP subentry alignment with X.500 subentry

[snip]
 
> [Robert]
> Albert, doesn't an entry know the other attributes that it 
> contains as well
> and so could evaluate an arbitrary filter ?
> [Albert]
> Sorry, I should have said "the (structural) object class of 
> an entry is
> fixed and therefore the set of applicable subentries does not 
> need to be
> recalculated on every search". With general filters such a 
> calculation would
> be needed on every search, for every subentry that has a 
> parent within the
> base of the search applied to every entry within the scope of 
> the search.
> This is multiplying the cost of a search by the number of potentially
> applicable subentries (not just the number of actually applicable
> subentries).

The specificationFilter of a SubtreeSpecification applies to the
objectClass attribute rather than the structuralObjectClass. Since the
objectClass can contain optional auxiliary object classes that come
and go, a conformant X.500 implementation already has to deal with the
situation where the set of applicable subentries changes.

Some of our customers need to be able to set access controls based on
the non-objectClass attributes of the entry. The way we have achieved
this with X.500 basic access control is to define an auxiliary object
class, with no mandatory or optional attributes, that we use to tag
entries satisfying an implied filter on the entry contents.
SubtreeSpecifications then reference the auxiliary class in their
specificationFilters. The auxiliary class tagging has to be maintained
manually. Being able to filter on arbitrary entry contents in the
specificationFilter would be better.

[snip]

>
> Please send or CC any comments to LDUP as I won't see them in LDAP-EXT.
>
> Seeya, Albert

Regards,
Steven

Follow-Ups:
- RE: LDAP subentry alignment with X.500 subentry
  - From: "Albert Langer" <Albert.Langer@Directory-Designs.org>

References:
- RE: LDAP subentry alignment with X.500 subentry
  - From: "Albert Langer" <Albert.Langer@Directory-Designs.org>

Prev by Date: Unidentified subject!
Next by Date: RE: Unique identifiers for LDAP attributes
Index(es):
- Chronological
- Thread