[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Test operations

To: Morteza Ansari <morteza@infoblox.com>
Subject: Re: Test operations
From: Howard Chu <hyc@symas.com>
Date: Sat, 20 Nov 2004 16:50:52 -0800
Cc: David Boreham <david_list@boreham.org>, OpenLDAP Devel <openldap-devel@OpenLDAP.org>
In-reply-to: <419EAA1C.30309@infoblox.com>
References: <419DD514.9020809@linagora.com> <0a5001c4ce48$85ac8660$fd529145@mtbrook.bozemanpass.com> <419EAA1C.30309@infoblox.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

Morteza Ansari wrote:

I definitely second this, SunDS also supports this control (I am not sure if the two implementations are 100% compatible though). Converging on this would make app's developers job easier.

Interesting, considering that this draft hasn't progressed very far and has no OIDs assigned. How exactly do you expect anyone to write a compatible implementation? And of course "It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress.""

The old draft mentioned support for X.500 access controls, but the latest draft (rev 06, 14 July 2000) doesn't mention it any more. All of which may be academic since the LDAPext working group shut down and this draft expired in January 2001.

This draft http://www.ietf.org/internet-drafts/draft-legg-ldap-acm-bac-03.txt is at least current, and the X.500 models it describes have already been widely implemented by X.500 vendors. In this respect, it doesn't have the shortcomings of the LDAPext model (which among other things doesn't allow for value-specific rights).

Before going off and implementing an expired draft, it would be nice to understand why the model never made it beyond draft status. Surely it does not reflect well on the described model for it to have been abandoned by the authors. Nor would it reflect well on us to claim support for what can only be considered an incomplete specification.


Cheers,
Morteza

David Boreham wrote:

Now I'm looking to write an extended operation based on the standard, ACI or AACLs access model to allow operations testing.


There was a 'get effective rights' extended operation
defined in the old IETF access control work:
http://www.watersprings.org/pub/id/draft-ietf-ldapext-acl-model-01.txt
I _think_ that what you are proposing is either similar or identical
to the get effective rights operation.

At least a few LDAP servers implement something like this, e.g. :
http://enterprise.netscape.com/docs/directory/621/relnotes/ger.html

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Test operations
  - From: "David Boreham" <david_list@boreham.org>
- Re: Test operations
  - From: Morteza Ansari <morteza@infoblox.com>

References:
- Test operations
  - From: Sébastien Bahloul <bahloul@linagora.com>
- Re: Test operations
  - From: "David Boreham" <david_list@boreham.org>
- Re: Test operations
  - From: Morteza Ansari <morteza@infoblox.com>

Prev by Date: Re: Test operations
Next by Date: Re: Test operations
Index(es):
- Chronological
- Thread