[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Considering Attribute Subtypes during ACL evaluation

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>
Subject: RE: Considering Attribute Subtypes during ACL evaluation
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Mon, 9 Oct 2000 14:42:30 +1100
Cc: <ietf-ldapext@netscape.com>
Importance: Normal
In-reply-to: <5.0.0.25.0.20001008175145.00a4deb0@router.boolean.net>

Kurt,

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Monday, 9 October 2000 12:00
> To: steven.legg@adacel.com.au
> Cc: 'Jim Sermersheim'; ietf-ldapext@netscape.com
> Subject: RE: Considering Attribute Subtypes during ACL evaluation
> 
> 
> At 10:15 AM 10/9/00 +1100, Steven Legg wrote:
> >I can't find anything in X.500 that clarifies whether 
> attribute subtyping
> >applies when evaluating access controls. Our implementation ignores
> >subtyping when making access control decisions.
> 
> What does it do for language tags and ;binary?  These are forms
> of subtyping as well.

We have to be able to shuffle attribute types with language tags
through DSP somehow, so we define attribute types with language
tags as formal attribute subtypes in the X.500 sense (we don't
support contexts). Obviously that means we are restricted to single
inheritance. The access control decision function ignores subtyping
so access controls on cn don't apply to cn;lang-en.

We treat the ;binary option as a transfer encoding specifier,
rather than as a subtype. It only determines how the attributes
values are encoded to go out or come in. The bulk of the server
code cares nothing about ;binary. The access control decision
function, in particular, will appear to apply access controls
on cn to cn;binary as well.

> 
> >It seems the safer choice.
> 
> X.500 doesn't have attribute type options, so direct comparisons
> are invalid.

I wouldn't say that. The question is whether LDAP access controls on
a supertype should apply to the subtype. We are not prevented
from looking elsewhere for inspiration. Whether X.500 access control
does or doesn't support subtyping is still a worthwhile question,
even though the answer does not constrain LDAP access control in any
way because we are talking about an unrelated access control scheme.

> With the advent of LDAP attribute type options, in
> particular, language tags and ;binary, I believe it very important
> for that an ACI for "cn" apply not only to "cn" but "cn;lang-en"
> and "cn;binary".   I would argue it best that if atribute type
> option subtyping is supported, then traditional X.500 subtyping
> should be supported as well (or at least allowed).

The concern with this sort of inheritance is that the access controls
may later apply to things that the access control creator was not
aware of at the time of creation. If there is no inheritance there
can be no surprises. By the way, I'm not strongly for or against
such inheritance.

> 
> Kurt
> 
>

Regards,
Steven

Follow-Ups:
- RE: Considering Attribute Subtypes during ACL evaluation
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: Considering Attribute Subtypes during ACL evaluation
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Attention: Homeowners & Soon To Be Homeowners
Next by Date: Java LDAP API issues summary - round 2
Index(es):
- Chronological
- Thread