|
Hi Jim,
X.500 says for opinion nothing
about AccessControl and subtyping. Access Control can be given on
an
attribute basis and have
nothing to do with the subtyping of attributes.
Subtypes are defined in the
schema and are only used in the search, if you
give a supertype in a filter
item all subtypes will be searched also.
Helmut
I agree for the exact same reason optional support of attr
subtyping). It would also be interesting to hear from the X.500 community on
how this is handled by different vendors. I found the whole thing
unspecified.
Jim
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 9/30/00
12:59:03 PM >>>
At 07:39 AM 9/30/00 -0700, Prasanta Behera
wrote:
>Currently the netscape/iPlanet DS ACL supports a attribute
inheritance of subtypes e.g. if you allow access to
>"cn", it
automatically means { cn, cn;* }
>
>However, it is much harder to
map "name" to "cn, sn".
Depends upon your server
implementation... I argue that
mapping "name" to "cn" is no harder
than mapping "2.5.4.3"
to "cn". Both require schema aware ACL
evaluation and
once you have that, supporting subtyping is likely no
big
deal. Implementing schema aware ACL evaluation may be hard,
but it's
already required to handle alternative naming
of attribute
types.
However, given that subtyping is optional in LDAPv3,
one
could argue it's best to leave subtyping within ACLs as
being
optional.
Kurt
|