[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL model comments
"Kurt D. Zeilenga" wrote:
>
> Though I haven't had time to do a full review, I can offer
> a few comments:
>
> Section 6.3
>
> The 'aci' attribute is defined as a user, not operational,
> attribute type. Besides being appropriate in terms of usage,
> this would allow this attribute type in any and all
> object classes. If usage is left as user, you'd likely
> have to define an auxiliary objectclass to allow mix in
> or replace 'top' or something.
I agree that the attribute type used to store access control information
should be operational. X.500's various access control attribute types
are defined with "USAGE directoryOperation" which seems right to me.
I would also like to see us choose a different name for the attribute
type. An attribute called 'aci' has been used in the Netscape/iPlanet
Directory Server for several years now to hold proprietary access
control information. See:
http://home.netscape.com/eng/server/directory/schema/attribu4.htm#1717762
I admit that 'aci' was not a good name for Netscape to use, but I
suggest we use a name like 'ldapACI' for the new standard scheme to
avoid confusion (unless someone else is already using that name too!).
--
Mark Smith
Directory Product Development / iPlanet E-Commerce Solutions
My words are my own, not my employer's. Got LDAP?