Re: Subtree ACIs

[Ralf Haferkamp <rhafer@suse.de>]

On Mon, Jul 14, 2003 at 06:38:42AM +0200, Kurt D. Zeilenga wrote:
> At 12:28 PM 7/11/2003, Ralf Haferkamp wrote:
> >I have recently been looking at the in-directory ACI implementation and
> >trying to implement subtree ACIs. I've made good progress so far. I am now
> >wondering about some details of how the evaluation should be peformed.
> 
> With the experimental ACI stuff, I think the original intent was
> for "more specific" ACIs to take precedence.  You likely can look
> at some of the long-ago expired LDAPext drafts for guidance on
> this (see doc/drafts for copies).
>
> You might also find Steven Legg's drafts on X.500 ACMs in LDAP
> interesting.
Thanks for the pointer. I've take a look at the drafts. If I understood
it correctly it makes use of Subentries when defining ACIs that scope more
than one entry, is this correct? If yes, is there any subentry support in
the current HEAD code? 
Additionally, compared to the simple format of OpenLDAPaci the definition of
the "entryACI"-Attribute from "draft-legg-ldap-acm-bac" looks pretty
complex. 

Is it intended to remove the current implementation in favour of a solution
that implements the ACMs specs in the future?

[..]
> I would argue that in evaluating ACIs for a target entry, the
> precedence should be:
>         a) "entry" (base) scoped ACI on target, then
>         b) subtree scoped ACI on target,
>         c) subtree scoped ACI on parent,
>         d) subtree scoped ACI on parent's parent
>         e) ...
> 
> Now, one could argue that "subtree" scope is problematic.  If so,
> replace it with "children" scope and eliminate b).
At the moment I implemented the "children" scope. Though it seems not be to
hard to support "subtree" as well.

-- 
Ralf Haferkamp

SuSE Linux AG                                    - The Linux Experts -
Deutschherrnstrasse 15-19                         http://www.suse.com
D-90429 Nuernberg, Germany                        Tel: +49-911-74053-0