RE: Considering Attribute Subtypes during ACL evaluation

["Steven Legg" <steven.legg@adacel.com.au>]

Jim,

I can't find anything in X.500 that clarifies whether attribute subtyping
applies when evaluating access controls. Our implementation ignores
subtyping when making access control decisions. It seems the safer
choice.

Regards,
Steven

-----Original Message-----
From: Jim Sermersheim [mailto:JIMSE@novell.com]
Sent: Tuesday, 3 October 2000 9:40
To: prasanta@netscape.com; Kurt@OpenLDAP.org
Cc: ietf-ldapext@netscape.com; hahnt@us.ibm.com
Subject: Re: Considering Attribute Subtypes during ACL evaluation


I agree for the exact same reason optional support of attr subtyping). It
would also be interesting to hear from the X.500 community on how this is
handled by different vendors. I found the whole thing unspecified.

Jim


>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 9/30/00 12:59:03 PM >>>
At 07:39 AM 9/30/00 -0700, Prasanta Behera wrote:
>Currently  the netscape/iPlanet DS ACL supports a attribute inheritance of
subtypes e.g. if you allow access to
>"cn", it automatically means { cn, cn;* }
>
>However, it is much harder to map "name" to "cn, sn".

Depends upon your server implementation...  I argue that
mapping "name" to "cn" is no harder than mapping "2.5.4.3"
to "cn".  Both require schema aware ACL evaluation and
once you have that, supporting subtyping is likely no big
deal. Implementing schema aware ACL evaluation may be hard,
but it's already required to handle alternative naming
of attribute types.

However, given that subtyping is optional in LDAPv3, one
could argue it's best to leave subtyping within ACLs as
being optional.

Kurt