[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Model (Section 2)
- To: Ellen Stokes <stokes@austin.ibm.com>
- Subject: ACL Model (Section 2)
- From: Rob Byrne - Sun Microsystems <Robert.Byrne@france.sun.com>
- Date: Tue, 11 Apr 2000 19:54:21 +0200
- Cc: djbyrne@us.ibm.com, gblakley@tivoli.com, grunt@nortelnetworks.com, jimse@novell.com, roger_harrison@novell.com, kurt@OpenLDAP.org, sganguly@novell.com, Robert.Byrne@france.sun.com, usriniva@us.oracle.com, dsward@novell.com, albert.langer@neither.org, leifj@it.su.se, keith.richardson@peerlogic.com, helmut.volpers@icn.siemens.de, sanjay.jain@software.com, hsastry@us.oracle.com, sshrivas@us.oracle.com, paulle@microsoft.com, m.wahl@innosoft.com, kyungae_lim@iris.com, ietf-ldapext-acm@OpenLDAP.org
- Organization: Sun Microsystems
- References: <4.2.2.20000411000146.00a2ea80@popmail2.austin.ibm.com>
Ellen,
You may or may not (!) find this helpful but I jotted down some of the things that
I think should be treated in Section 2 that describes the LDAP Model:
Overview of the Model
. Explain the picture that servers can have multiple mechanisms but MUST be capable
of supporting the LDAP Mechanism in an arbitrary part of the DIT, if required by a
client.
Discovey/Setting of ACL Mechanisms
. define the attributes.
. If a client succeeds in changing one of these attributes does that mean the new
Mechanism is now also in force ?
How multiple Mechanisms fit together:
. what the unit of applicability of the aci Mechanism is (probably replication
entity).
. can we "run two entities together" for LDAP Mechanism evaluation if they are on
the same server (I think we should be able to as it's useful if the DIT is
partitioned for scalability). This kind of touches on what X.500 calls the
ACL Administrative Something--it may be possible to re-use their concepts though
I would approach that with the prime directive "keep it simple".
Access to ldapACI's themselves
. I think they should control access to themselves. Does this force us to address
the problem of how to get ldapACI's in there in the first place (cn="Directory
Manager" concept ?)
All for now...
Rob.