[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments on Access Control Model draft - grant/deny evaluation rules

To: ietf-ldapext@netscape.com
Subject: Re: Comments on Access Control Model draft - grant/deny evaluation rules
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 04 Apr 2001 13:15:38 -0700
Cc: rvh@qsun.mt.att.com (Richard V Huber)
In-reply-to: <5.0.2.1.0.20010404130054.00aeb660@127.0.0.1>
References: <200104041955.PAA00232@qsun.mt.att.com>

At 01:07 PM 4/4/01 -0700, Kurt D. Zeilenga wrote:
>At 03:55 PM 4/4/01 -0400, Richard V Huber wrote:
>>: I note that recursive evaluation could be quite expensive.
>>
>>Yes it could.  But only if you use it in a way that MAKES it
>>expensive.  It is not expensive for people who do not use nesting or
>>are careful about nesting.
>
>I don't think this is true.  If an implementation does
>not support recursion, then it can just check to see
>if the authorization DN matches one of the members of
>the group.  If the specification requires no recursion,
>then implementations just need to check the see if the
>authorization identity is one of the listed members.

That was a bit redundant... the first "If ..." sentence
should be ignored.  Sorry for any confusion.

>If the specification requires recursion, then implementations
>would be required to check to see if any listed member
>was a group and recurse.  Even if there were no nested
>groups, the check itself can be expensive.

References:
- Re: Comments on Access Control Model draft - grant/deny evaluation rules
  - From: rvh@qsun.mt.att.com (Richard V Huber)
- Re: Comments on Access Control Model draft - grant/deny evaluation rules
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: IP Address in the ACM (Was: Comments on Access Control Model - BNF)
Next by Date: Re: java api bind() methods
Index(es):
- Chronological
- Thread