[Date Prev][Date Next] [Chronological] [Thread] [Top]

summary of Apr 11 ldap access control model conference call



All,

Here's summary (short):

1. Moving forward: Rob Byrne's note (10 min)

We reaffirmed the current direction of the ldap access control model.
Section 2 will be re-written to more clearly explain the model (reference
some points supplied in Rob's note on this subject).

2. Granularity of 'write' permission (need consensus) (10 min)

The decision was to divide the write permission (ldapModify operation)
into multiple permissions aligned with the sub-operations of ldapModify.
There is a single alphabetic character per permission.
	'w' means modify/add (write)
	'o' means modify/delete (obliterate)
	The presence of both 'w' and 'o' means modify/replace.

3. Add 'authenticated' pseudo-user (need consensus); also strength of authentication? (10 min)

Helmut will provide a proposal for Apr 18 conference call.

4. Should user need both 'add'(object) and 'write' (attributes) to add a DN/objects and its attributes? (need consensus) (10 min)

The decision is to require 'add' (object) on the parent entry to be able to add child entries AND 'write' on the attributes
that are 'added' as part of adding that entry. To delete the added entry, only the 'delete' (object) permission is needed
on the the entry to be deleted.


Ellen