Candidate LDAP Administration Model

["Ed Reed" <eer@OnCallDBA.COM>]

Well - I tried to just add a sentence to the LDAP Subentries text describing an administrative area, and couldn't convince myself that it was sufficient.  Instead, I studied the X.501 (2001) draft and came up with the following description of what is, I think, a compatible, simpler subset of the X.500 model.  I present it here for your comment and feedback to see (1) if it is indeed simpler (2) if it is indeed compatible (3) if it is indeed a subset.

Thanks.  Your comments are requested.  I suggest this be part of the LDAP Subentry draft, that should go onto the proposed standard track.

Ed
=============================================
4	Administrative Areas in the Directory
4.1	X.501 Administrative Model Overview
[X501] contains an extensive description of Administrative Areas and their role in the management and administration of directories.  The LDAP administrative model defined here is intended to be a compatible, proper subset of the [X501] model.  The description here draws heavily on the descriptions and concepts laid out in [X501].

An administrative area is a sub-tree of the directory information tree, rooted at an administrative point (the root-most entry in the sub-tree), where administrative entries (perhaps including subentries, operational attributes, or both) are located.  Autonomous administrative areas are distinct partitions of the directory information tree whose entries are all administered by a single administrative authority.  Each entry in the directory information tree is administered by exactly one autonomous administrative authority.

There may be many aspects of administration defined by the directory and other applications for specific purposes, such as subschema administration areas, access control administration areas, collective-attribute administration areas, context default administrative areas, and service administrative areas.  Within an autonomous administrative area, specific administrative areas for these (and other) different aspects may overlap one another.  

Specific administrative areas may be sub-partitioned by the applications or services which define them to facilitate delegation of authority or for other purposes.  That means that a single entry in the directory may be part of many different specific administrative areas, but only be part of one specific administrative area (or sub-area) of each aspect of administration.

The [X501] subentry specification optionally uses a SubtreeSpecification to indicate a subset of entries in a sub-tree with which the subentry is concerned.  When the SubtreeSpecification is empty the scope of the [X501] subentry is implicitly defined by the context in which it occurs.  
4.2	An LDAP Administrative Model
The administrative model for LDAP defined here is a simplified version of the one described in [X501], in that the scope defined for the ldapSubentry object class is limited.  

The LDAP Subentry definition below specifically does not include a SubtreeSpecification, so its scope is explicitly the complete set of entries in the specific administrative area (or sub-area) in which it occurs.  All administrative areas are considered to be specific administrative areas within an autonomous administrative area.  

If a specific administration area is not partitioned, then its extent (or scope) is said to be that of the autonomous administrative area in which it is defined.

Applications and services which define specific administrative areas must specify whether the areas may be partitioned or not.  By default, the scope of LDAP Subentries is limited to the sub-area of the partitioned specific administrative area in which they are present. 


=================
Ed Reed
Reed-Matthews, Inc.
+1 801 796 7065
http://www.Reed-Matthews.COM