[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP ACL Architecture



"Kurt D. Zeilenga" wrote:

>
> No.  Please read RFC 2119, Section 6.  [Though defined for
> MUST/SHOULD/MAY impertives, I believe it equally applies to
> the "mandatory" vs "recommended" vs "optional" debate.]  Then
> ask is LDAP ACM impertive for the interoperability of two LDAP
> protocol peers?   IMO, the answer to this question is NO as
> LDAPv3 peers interoperate irregardless of the ACM model in
> place.

I think this question circles around the real question "What are the drivers for standardized LDAP Access Control ?".

I think the group needs to reiterate these drivers clearly.  These drivers should be written down and used to generate some key requirements, block
rat holes and prune the discussion tree.  If there are none then we can go home straight away!

Here are two of what I think are the important drivers and why:

1. Directory Enabled Application (DNA) portability
Directory vendors know that directory is commoditising and that it is DNAs that will be their future bread and butter.  Conclusion: the more DNAs your
directory works with, the bigger the market for your Directory and "attached products".  And...DNAs will typically want to manage the Access Controls
in the Directory.

2.  Replication.
 Replication is a driver because I believe it makes zero sense to replicate data unless the key configuration data (Schema and Access Control) can be
"sensibly" replicated too.

So according to these drivers it is not "humble" LDAP clients who need to know about Access Control but Management and Replication "clients".  I think
making Access Control mandatory would amount to extending what we currently mean by "LDAP clients" to include these new ones.  Is this LDAP maturing
or getting heavy ?

Any other drivers ?

Rob.