[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: expansion of groups/roles/subtree subjects in LDAP ACM

To: robert byrne <robert.byrne@Sun.COM>
Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM
From: Mark Davidson <markd@pwd.hp.com>
Date: Mon, 09 Jul 2001 15:49:28 +0100
Cc: ietf-ldapext@netscape.com
Organization: Hewlett-Packard
References: <FCEKLEHMPIHFNLCMKHAMOENECEAA.john.strassner@intelliden.com> <H00002a208d1e7ac.0994689276.hpopd.pwd.hp.com@MHS>

> I think what's needed here is for the draft to specify that, if the
> evaluation of any part of the subject fails, then the subject part of
> that aci does not apply.  So we can change the intro to 4.3.2.4 to
> something like:
> 

I think that when evaluation of any part of the subject fails the
server must act in a fail safe way. This means that access must be
denied.

So 4.3.2.4 intro should read:

"4.3.2.4  Applicability Rules for Subjects

Call the subject portion of the ACI in question aciSubject. In the case 
where the server fails to evaluate a rule and so fails to fully confirm
that aciSubject applies, then access is denied. Then to determine if 
aciSubject applies to requestorSubject we apply the following rules:"

Mark

References:
- RE: expansion of groups/roles/subtree subjects in LDAP ACM
  - From: "John Strassner" <john.strassner@intelliden.com>

Prev by Date: Re: expansion of groups/roles/subtree subjects in LDAP ACM
Next by Date: how to get org.ietf.ldap package
Index(es):
- Chronological
- Thread