[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: application defined permissions

To: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Subject: Re: application defined permissions
From: Rolf.Maeule@varetis.de
Date: Wed, 21 Feb 2001 17:38:01 +0100
Cc: ietf-ldapext@netscape.com

> Bruce Greenblatt wrote at 21.02.01 01:48:
>
> At 11:17 AM 2/20/2001 -0800, Kurt D. Zeilenga wrote:
>
> >Because a directory implementation may not implement the operational
> >usage but your application should still be able to store the user
> >value.  A server which does not support the operational usage should
> >not publish the ldapACI attribute in its subschema.
>
> I think that the application defined permissions are only useful in an
LDAP
> server that already implements the rest of the ACL model.  It is
important
> that the effective rights computation for application defined permissions

> take place in the same manner as the LDAP defined permissions.  If the
LDAP
> server is not implementing the operational usage and effective rights
> computation, it is unlikely to be able to implement the computation for
> application defined permissions.  I don't ever see an implementation
> supporting only application defined permissions.  If all an application
> needs is a place to store permissions, it can easily use the member
> attribute, or something analogous.  IMHO, the important thing is the
> ability of the LDAP server to compute effective rights.

I agree.

> So, I'd like to
> see the application defined permissions bundled into the same attribute
as
> the other permissions.  However, if the consensus of the WG is to create
> two separate operational attributes, and have the exact same effective
> rights operations and controls applying to each attribute, we could
> probably do it that way.
>
> Bruce

I see two kinds of extensions:

a) additional rights needed for LDAP operations. A right like "return
temporary DN which is valid for 5 minutes" might even influence standard
LDAP operations. You need to modify the LDAP server to support it.

b) additional rights needed by applications etc. Such rights will never
influence server implementation.

An LDAP server might want to reject extensions of type a) or at least say
"Warning: I do not understand this extension", but accept extensions of
type b).  I therefore suggest using two attributes.

Rolf

Follow-Ups:
- Re: application defined permissions
  - From: Rob Byrne <Robert.Byrne@france.Sun.COM>

Prev by Date: Over35 Free Newsletter - Look Younger with Face Exercises
Next by Date: Inheriting / Cacheing / Replicating policy from superior administrative areas
Index(es):
- Chronological
- Thread