[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: expansion of groups/roles/subtree subjects in LDAP ACM
Kurt,
I think what's needed here is for the draft to specify that, if the
evaluation of any part of the subject fails, then the subject part of
that aci does not apply. So we can change the intro to 4.3.2.4 to
something like:
"4.3.2.4 Applicability Rules for Subjects
Call the subject portion of the ACI in question aciSubject. Then to
determine if aciSubject applies to requestorSubject we apply the
following rules. In the case where the server fails to evaluate a
rule and so fails to fully confirm that aciSubject applies, then
aciSubject does not apply."
Rob.
John Strassner wrote:
>
> agreed, except that noting in the log system that the group/role/subtree
> has not been fully expanded **may** give, in some cases, more information
> than needed and be a start in compromising security.
>
> regards,
> John
>
> -----Original Message-----
> From: Ryan Moats [mailto:rmoats@lemurnetworks.net]
> Sent: Thursday, July 05, 2001 2:18 PM
> To: Kurt D. Zeilenga
> Cc: ietf-ldapext@netscape.com
> Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM
>
> On Thu, Jul 05, 2001 at 12:58:23PM -0700, Kurt D. Zeilenga wrote:
> > How are exceptional conditions in expanding
> > groups/roles/subtrees to be handled? In particular,
> > what is the ACM behavior when the groups/roles/subtrees
> > cannot be fully expanded and the requestor's DN is not
> > found in the partial set of DNs?
> >
> > Kurt
>
> Well as an initial (not perfect) suggestion I would opt for
> notifying via the log system that the group/role/subtree
> has not been fully expanded and that access has been denied
> because the DN is not in the partial set.
>
> Ryan