Re: Subtree ACIs

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:28 PM 7/11/2003, Ralf Haferkamp wrote:
>I have recently been looking at the in-directory ACI implementation and
>trying to implement subtree ACIs. I've made good progress so far. I am now
>wondering about some details of how the evaluation should be peformed.

With the experimental ACI stuff, I think the original intent was
for "more specific" ACIs to take precedence.  You likely can look
at some of the long-ago expired LDAPext drafts for guidance on
this (see doc/drafts for copies).

You might also find Steven Legg's drafts on X.500 ACMs in LDAP
interesting.

>Does scope "subtree" include the "entry"-scope? i.e. should ACIs with the
>scope "subtree" also be evalutated for the entry they are in or only for
>its child entries? My current implementation evaluates "subtree" ACIs only
>for the child entries.
>
>If an entry contains a "entry"-scope ACIs, that do not explicitly allow 
>or deny access for the current operation, should the "subtree"-ACIs of its
>parent entries be evaluted or should the access be denied? (Do ACIs deeper
>in the tree completely reset higher lever ACIs, or do they just overwrite
>parts of the higher level ACIs?) 

I would argue that in evaluating ACIs for a target entry, the
precedence should be:
        a) "entry" (base) scoped ACI on target, then
        b) subtree scoped ACI on target,
        c) subtree scoped ACI on parent,
        d) subtree scoped ACI on parent's parent
        e) ...

Now, one could argue that "subtree" scope is problematic.  If so,
replace it with "children" scope and eliminate b).


Kurt