[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Considering Attribute Subtypes during ACL evaluation

To: ietf-ldapext@netscape.com
Subject: Re: Considering Attribute Subtypes during ACL evaluation
From: hahnt@us.ibm.com
Date: Mon, 2 Oct 2000 05:52:26 -0400
Importance: Normal

Kurt,

I agree that the optional/mandatory specification for ACLs to be sensitive
to subtyping should follow what an implementation does with attribute
subtyping support, i.e. if attribute subtypes are supported, then the ACL
implementation should be sensitive to them as well.

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)
phone: 607.752.6388     tie-line: 8/852.6388
fax: 607.752.3681

"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> on 09/30/2000 02:59:03 PM

To:   prasanta@netscape.com (Prasanta Behera)
cc:   Timothy Hahn/Endicott/IBM@IBMUS, ietf-ldapext@netscape.com
Subject:  Re: Considering Attribute Subtypes during ACL evaluation

At 07:39 AM 9/30/00 -0700, Prasanta Behera wrote:
>Currently  the netscape/iPlanet DS ACL supports a attribute inheritance of
subtypes e.g. if you allow access to
>"cn", it automatically means { cn, cn;* }
>
>However, it is much harder to map "name" to "cn, sn".

Depends upon your server implementation...  I argue that
mapping "name" to "cn" is no harder than mapping "2.5.4.3"
to "cn".  Both require schema aware ACL evaluation and
once you have that, supporting subtyping is likely no big
deal. Implementing schema aware ACL evaluation may be hard,
but it's already required to handle alternative naming
of attribute types.

However, given that subtyping is optional in LDAPv3, one
could argue it's best to leave subtyping within ACLs as
being optional.

Kurt

Prev by Date: Re: comments on draft-ietf-ldapext-ldap-java-api-11.txt
Next by Date: RE: Considering Attribute Subtypes during ACL evaluation
Index(es):
- Chronological
- Thread