[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: application defined permission

To: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Subject: Re: application defined permission
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 09 Mar 2001 10:08:35 -0800
Cc: Rob Byrne <Robert.Byrne@Sun.COM>, ietf-ldapext@netscape.com
In-reply-to: <5.0.2.1.2.20010309085253.00a6a4f0@pop.walltech.com>
References: <5.0.2.1.0.20010309083043.01f77810@router.boolean.net> <3AA8FC44.AA1F50@france.sun.com> <5.0.2.1.2.20010307114732.00a606d0@pop.walltech.com>

At 09:01 AM 3/9/01 -0800, Bruce Greenblatt wrote:
>At 08:50 AM 3/9/2001 -0800, Kurt D. Zeilenga wrote:
>
>>I concur.  The ACL model should be simple.  This would add
>>unnecessary complexity to the specification and implementations.
>
>I don't really see how the proposal that I made is that complex.

How does a client determine if the server implements a particular
ACM extension?

I thought we had previously discussed how ACM updates/extensions would
be handled and reached some consensus on the issue.  I was under the
impression that if the syntax needed to be updated, a new syntax would
be defined.  This allows use of existing schema discovery mechanisms
to determine which syntaxes are supported.  However, if the syntax
itself is extensible, the model must support a means for discovering
how the syntax might have been extended.  This, in my opinion, is a
completely unnecessary complication.

>You are just adding an extra possibility that doesn't restrict the operations of the directory in any way.  If the LDAP server chooses to implement the application defined permissions (which it doesn't have to), then in calculating the effective rights the application defined permissions should be taken into account.  This seems pretty simple to me.  I was never trying to say that all LDAP servers had to implement this.  If you don't want to implement application defined permissions, don't do it.  It's just one other option for implementors.
>
>I think that limiting the list of permissions to those specifically defined in the acl model document is opening the door for the possibility of problems down the road.  By building in extensibility, you are making sure that the protocol and model won't be broken down the road.

Adding extensibility requires more than a simple syntax sugar.

>>We also use "psuedo" attributes (which don't actually exist)
>>to govern access to information not held in any attributes.
>
>Are you proposing this as a mechanism to implement application defined permissions?

This comment was in the context of extended operation permissions
but may apply to application defined permissions as well.  However,
the point was secondary.  The primary point was that permissions
governing extended operations can be specified in terms of access
upon directory information.  This is a viable alternative to
to specific extended operation access information.

Kurt

References:
- Re: application defined permission
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: application defined permission
  - From: Rob Byrne <Robert.Byrne@Sun.COM>
- application defined permission
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
- Re: application defined permission
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>

Prev by Date: Re: I-D ACTION:draft-ietf-ldapext-locate-05.txt
Next by Date: Re: WG last call on the Java API
Index(es):
- Chronological
- Thread