[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt

To: John McMeeking <jmcmeek@us.ibm.com>
Subject: Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 02 Mar 2006 10:23:55 -0800
Cc: ldapext@ietf.org
In-reply-to: <OFB5A0E890.88D5476C-ON86257124.00486BD7-86257124.004CE95A@ us.ibm.com>
References: <7.0.1.0.0.20060228132901.03d38568@OpenLDAP.org> <OFB5A0E890.88D5476C-ON86257124.00486BD7-86257124.004CE95A@us.ibm.com>

At 06:00 AM 3/1/2006, John McMeeking wrote:

>I would like to see a name for the control that is not so close to the existing ManageDsaIT control.  I picture someone using the wrong control because of the similarity in names.  Maybe something along the lines of "repair DIT" or "allow exceptions"? 

Noted.  How about the "relax" control?

>I have occasionally found the need for such a mechanism. 
>
>I've always been a little uneasy about making it too easy to use for fear that an administrator would start using such a control for one purpose and either use it where it shouldn't have been used -- like inadvertantly updating an entry on a read-only replica because he misdiagnosed a problem, or using it to fix one problem and because of the controls presence also be allowed to do something else unintended.  Or worse yet, just start using the control out of bad habit. 
>
>I'm trying to think of something that makes the control perhaps a little less dangerous without making it impossible to use.  In some respects, maybe what I really want is an interactive "are you sure you want to do this" capability; of course those always come with a "yes to all" option, so maybe I'm just unduly paranoid.  Maybe there could be a family of controls - one control for each kind of exceptional action - or a control value indicating the kind of change intended. 

I have considered whether the control should or should not provide
fine grained control over the relaxation of various schema restrictions
and model constraints.   I concluded it would be too hard to specify,
implement, to use (from a client perspective), to manage (from a
server policy perspective).   I concluded it was much easier to
say the control "relaxed" temporarily various restrictions/constraints,
subject to administrative and other controls.

In our early implementation, the client has to have
context-specific authorization to use this control.
That is, they need to have "manage" rights on the
object (or particular attributes of the objects)
to use this control.  It's homed that the
administrator will not grant "manage" rights to all
those who have "write" rights.

Kurt 

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
  - From: John McMeeking <jmcmeek@us.ibm.com>
- Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
  - From: "Michael StrÃder" <michael@stroeder.com>

References:
- Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: Re: [ldapext] certificateExactMatch and certificateMatch
Next by Date: Re: [ldapext] Fwd: I-D ACTION:draft-zeilenga-ldap-managedit-00.txt
Index(es):
- Chronological
- Thread