[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Model (Section 2)
Rob,
Yes, thank you. I'll use these as the basis for updating section 2.
Ellen
At 07:54 PM 4/11/00 +0200, you wrote:
Ellen,
You may or may not (!) find this helpful but I jotted down some of the
things that
I think should be treated in Section 2 that describes the LDAP Model:
Overview of the Model
. Explain the picture that servers can have multiple mechanisms but MUST
be capable
of supporting the LDAP Mechanism in an arbitrary part of the DIT, if
required by a
client.
Discovey/Setting of ACL Mechanisms
. define the attributes.
. If a client succeeds in changing one of these attributes does that mean
the new
Mechanism is now also in force ?
How multiple Mechanisms fit together:
. what the unit of applicability of the aci Mechanism is (probably replication
entity).
. can we "run two entities together" for LDAP Mechanism evaluation if they
are on
the same server (I think we should be able to as it's useful if the DIT is
partitioned for scalability). This kind of touches on what X.500 calls the
ACL Administrative Something--it may be possible to re-use their concepts
though
I would approach that with the prime directive "keep it simple".
Access to ldapACI's themselves
. I think they should control access to themselves. Does this force us to
address
the problem of how to get ldapACI's in there in the first place (cn="Directory
Manager" concept ?)
All for now...
Rob.