Bruce Greenblatt wrote:
>
> As I understand it, in the current ACL Model draft, the kinds of
> permissions that an LDAP server understands are limited to those defined in
> clause 4.1.1. Is this accurate? The reason that I ask, is that I would
Hi Bruce,
That's the way it's written right now. I agree that the idea of having
an extensible access control model is very attractive. The reason is
that we could all then be legitimately claim to be running version 1.0,
say, of the LDAP access control model...but with our own little tweaks.
It would also hopefully allow writers of new LDAP extended operations
and controls to define the required permissions for their new stuff
without having to ramp the version number of the LDAP access control
model. I started to work on this idea but haven't had time to get it in
a reviewable state...basically the idea would be to allow the permission
list to be extended and in addition to allow an extended permission to
have some "extended fields" associated with it which would contain any
data that the permission required. The problem is of course, what
happens if you send an aci with extended stuff to another server that
doesn't support it...reject it...? OK, but that's a big pain for
replication...Ok, publish the "supported extended permissions" in the
rootDSE and make it part of the replication agreement that both servers
check they support the same stuff...I'm just giving you an idea of the
things we need to think about to get an extensible model to work. It's
conceivable that it would be too much work for this pass of the draft.