[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACM & Replication (Was: LDAPEXT Minutes)

To: Ellen Stokes <stokes@austin.ibm.com>
Subject: Re: ACM & Replication (Was: LDAPEXT Minutes)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 17 Apr 2001 19:39:54 -0700
Cc: rvh@qsun.mt.att.com (Richard V Huber), ietf-ldapext@netscape.com, ietf-ldup@imc.org
In-reply-to: <5.0.2.1.0.20010417204927.00a78ce0@popmail2.austin.ibm.com>
References: <5.1.0.14.0.20010417142830.00a7d970@127.0.0.1> <200104172100.RAA17101@qsun.mt.att.com>

At 06:53 PM 4/17/01, Ellen Stokes wrote:
>From discussion with Rick Huber in Minneapolis, the following paragraphs
>of the model draft have been modified and now read as follows (excerpted
>from their sections with section headers):
>
>2.  The LDAPv3 Access Control Model
>   - What flows on the wire for interoperability
>
>     The existing LDAP protocol flows for ldap operations
>     are used to manipulate access control information.
>     These same flows on the wire apply when ACI is
>     transmitted during replication.  A set of permissions
>     and their semantics with respect to ldap operations is
>     defined.  The permissions parallel the defined set of
>     ldap operations.  What is transmitted is exactly what
>     is read back.  Encoding of access control information
>     on the wire is per the LDAPv3 specifications.

This basically says:
        Access control information is represented as elements
        of the LDAP data model and can be manipulated using
       normal LDAP operations.  A set of permissions and their
       semantics with respect to LDAP operations is defined.  The
       permissions parallel the defined set of LDAP operations.

That is, LDAP defines the wire format of LDAP operations
including data elements.  All this "on the wire" stuff just
muddies the waters and is completely unnecessary. 

I note that statement:
      "What is transmitted is exactly what is read back."

implies that the server is not free to store the values as it
pleases (which is contrary to other statements in the ACM as
well as rfc2251).  The data and service model only requires,
in general, that information can be read back in an equivalent
form.  This is needed to support multiple transfer modes
(string v. ;binary) and to give the server to store the data
in alternative forms, such as needed to support other
protocols/services.

>4.  The Access Control Information Attributes and Syntax
>The attributes are defined so access control information
>(ACI) can be addressed in a server independent of server
>implementation.

Suggest replacing "can be... " with:
    can be represented in an implementation independent
    manner.

>These attributes are used in typical LDAP
>APIs, in LDIF output of ACI and in transfer of ACI during
>replication.

s/are used/may be used/

>These attributes may be queried or set on all
>directory objects.  The BNF and definitions are given below.

References:
- Re: ACM & Replication (Was: LDAPEXT Minutes)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ACM & Replication (Was: LDAPEXT Minutes)
  - From: rvh@qsun.mt.att.com (Richard V Huber)
- Re: ACM & Replication (Was: LDAPEXT Minutes)
  - From: Ellen Stokes <stokes@austin.ibm.com>

Prev by Date: Re: ACM & Replication (Was: LDAPEXT Minutes)
Next by Date: IANA Considerations for LDAP
Index(es):
- Chronological
- Thread