[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: creatorsName/modifiersName referential integrity



> Because the names in the groups and ACIs for John Smith were left dangling, 
> and Jack Smith now has what used to be John Smiths DN, ...

If you were using an Access Control system which is based on Distinguished
Names and you were allowing for reuse of Distinguished Names, then you could
use the DN and optional Unique Identifier capability of X.500's access control
framework (and others).  By including a unique identifier assigned when the
entry was created, then you could ensure that even if the subject DN is reused,
the new subject would not take on the rights of the previous subject. 

> By not specifying what standard actions should be taken, interoperability 
> has definitely been impaired.  Thus this needs to be discussed and standard 
> actions should be included in updates to RFC 2252.

RFC 2252 only defines the attributes.  The underlying information model for
LDAP is X.501(1993) and following, which does not define automatic attribute
value deletion.  If there was a desire to standardize on an algorithm for
automatic value deletion, it would be done with an extension specification, so
that an LDAP client could determine whether a server did so, and on what 
subtrees it was in effect. This behavior would augment the behavior of X.511
for performing operations.  

Before however we consider automatic attribute value deletion for 
standardization, I would want to see some consideration of an approach for the 
interaction between servers which do not replicate that information.   This 
could be done in LDAPEXT or more likely in a successor WG to LDAPEXT for 
inter-server issues other than replication (chaining, proxy auth etc).

Mark Wahl, Directory Product Architect
Innosoft International, Inc.