[Date Prev][Date Next] [Chronological] [Thread] [Top]

precedence rule among subtree subject DNs

To: ietf-ldapext@netscape.com
Subject: precedence rule among subtree subject DNs
From: Kyungae_Lim@iris.com
Date: Wed, 1 Aug 2001 13:52:55 -0400

In page 20 of draft-ietf-ldapext-acl-model-08.txt,

"4.3.3.2  Precedence of Position in the DIT

For a given subject DN (including authentication level) and target DN,
subtreeACI lower in the tree take precedence over those higher in the
tree."

Suppose ACI at dc=ibm, dc=com is defined as:

1) subtreeACI:grant:b#[entry]#authnLevel:strong:subtree:dn:ou=iris,o=lotus
2) subtreeACI:deny;b#[entry]#authnLevel:strong:subtree:dn:o=lotus

Will this mean that "cn=joe tester,ou=iris,o=lotus" is granted browse
access, since 1) has higher precedence over 2)?

In the draft 7, precedence within subject DNs are:
ipAddress>authzID>this>role>group>subtree>public, and

"Subjects of the same precedence are combined using union semantics." (
page 18).

So the above example would be considered of equal precedence, and since
deny wins over grant when conflicting permissions exist, "cn=joe
tester,ou=iris,o=lotus" will be denied browse access.  Is this a new
change, and more importantly, will this rule stay in the future draft?  We
are implementing ldap acl, and would like to stay as close as possible to
the draft, at least for the portion of the precedence evaluation rules
anyway.  Thank you.

/kyungae

Prev by Date: Expand Your Business! [zx1pr]
Next by Date: Expand Your Business! [zx1pr]
Index(es):
- Chronological
- Thread