[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP ACLs
I agree with most of what you said, Paul.
We're faced with a choice among evils:
(A) Get the LDAP, WebDAV, and IMAP/ACAP crowds together to come up with
joint requirements and design an IETF ACL system.
Pros: Will probably have best final outcome
Cons: Will take a long time (possibly 2 or 3 years)
We probably don't have enough field experience to do this right
OS vendors with different models will have to add support for the
IETF model
(B) Several mandatory-to-implement-on-client ACL systems. Possibly add
(A) later.
Pros: flexible
server implementations more secure
Cons: lots of client complexity
interoperability problems with less frequently used models
LDAP servers with different ACL models can't interoperate for
replication, referrals, etc.
Introduces cross-protocol compatibility problems
(C) Design a single experimental LDAP model with the intention that it be
replaced with (A) down the road.
Pros: Gets something to market faster
Cons: OS vendors with different models will have to add support for the
this model and the future model
This model will probably have to be supported for a long time after
(A) is deployed.
Introduces cross-protocol compatibility problems
I'm afraid (C) is the lessor of evils here. But none of these are
appealing.
- Chris