Re: moving access control discussion to LDUP

[Rob Byrne - Sun Microsystems <robert.byrne@sun.com>]

All,

My own (vendor-centric) opinion on the progreess of the acl draft, is that,
unfortunately, in LDAP life-time terms it is very (if not, too) late to
successfully progress this to a standard.

I would categorize the main problem as "entrenched vendors".  Seems like
everyone agrees in principle that standard access control would be a good idea
but when it comes to the crunch vendors are reluctant to reinvest in developing
a new access control system in their servers.  So it seems the best we could do
would be to preserve the work (some of which may still be useful to vendors
polishing their  implementations) by moving it to the experimental or
informational category.

I think there may also be scope for pulling some of the sections out and
submitting them as independent ID's; for example the getEffectiveRights section
could probably be expressed in sufficiently general terms that any vendor could
support it.

Perhaps the best opportunity  for  standard directory access acontrol will occur
as/if directories evolve to integrate more with the XML world.  The XML guys are
currently recasting the wheel in XML terms and for example the XACML work stands
a chance of success as they don't have the entrenched vendor problem.

I would advise the LDUP chairs to poll the LDUP group and ensure that there is
enough (preferably more than enough!) support for completing the acl draft in
LDUP, before adopting it.

Rob.

Mark Wahl wrote:

> It may be worthwhile to consider adding the access control standardization
> discussion to LDUP, as LDUP will need the replication of access control
> information for many of its scenarios.  This activity was ongoing in LDAPEXT,
> but LDAPEXT is shutting down and has not reached rough consensus on
> access control specification.
>
> Mark Wahl
> Sun Microsystems Inc.