agreed, except that noting in the log system that the group/role/subtree has not been fully expanded **may** give, in some cases, more information than needed and be a start in compromising security. regards, John -----Original Message----- From: Ryan Moats [mailto:rmoats@lemurnetworks.net] Sent: Thursday, July 05, 2001 2:18 PM To: Kurt D. Zeilenga Cc: ietf-ldapext@netscape.com Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM On Thu, Jul 05, 2001 at 12:58:23PM -0700, Kurt D. Zeilenga wrote: > How are exceptional conditions in expanding > groups/roles/subtrees to be handled? In particular, > what is the ACM behavior when the groups/roles/subtrees > cannot be fully expanded and the requestor's DN is not > found in the partial set of DNs? > > Kurt Well as an initial (not perfect) suggestion I would opt for notifying via the log system that the group/role/subtree has not been fully expanded and that access has been denied because the DN is not in the partial set. Ryan
Attachment:
smime.p7s
Description: S/MIME cryptographic signature