[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on Access Control Model draft - grant/deny evaluation rules

To: rvh@qsun.mt.att.com (Richard V Huber)
Subject: Re: Comments on Access Control Model draft - grant/deny evaluation rules
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 04 Apr 2001 13:07:36 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <200104041955.PAA00232@qsun.mt.att.com>

At 03:55 PM 4/4/01 -0400, Richard V Huber wrote:
>: I note that recursive evaluation could be quite expensive.
>
>Yes it could.  But only if you use it in a way that MAKES it
>expensive.  It is not expensive for people who do not use nesting or
>are careful about nesting.

I don't think this is true.  If an implementation does
not support recursion, then it can just check to see
if the authorization DN matches one of the members of
the group.  If the specification requires no recursion,
then implementations just need to check the see if the
authorization identity is one of the listed members.  If
the specification requires recursion, then implementations
would be required to check to see if any listed member
was a group and recurse.  Even if there were no nested
groups, the check itself can be expensive.

Kurt

Follow-Ups:
- Re: Comments on Access Control Model draft - grant/deny evaluation rules
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: Comments on Access Control Model draft - grant/deny evaluation rules
  - From: rvh@qsun.mt.att.com (Richard V Huber)

Prev by Date: RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
Next by Date: RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
Index(es):
- Chronological
- Thread