[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP subentry alignment with X.500 subentry



Stephen,

If we were to use subentries to store aci items then your
"restriction" proposal sounds like a good approach.

However, it could be argued that it would be useful to extend the X.500
subtree specifier to allow the refinement to be a generic filter (not just
on the objectclass attribute).

So, on the subject of a subtree specifier for LDAP, then wrt the X.500
specifier I would venture something like: drop the chops (in favour of a
start point and base, onelevel and subtree) and allow the refinement to be
a generic filter (not just on the objectclass).

However, I would also like to see a discussion of why we should put acis
into subentries rather than just store them as ldapACI attributes in
entries.  What are the pros and cons ?

Cheers,
Rob.

Steven Legg wrote:

> Rob,
>
> > -----Original Message-----
> > From: owner-ietf-ldup@mail.imc.org
> > [mailto:owner-ietf-ldup@mail.imc.org]On Behalf Of Rob Byrne - Sun
> > Microsystems
> > Sent: Saturday, 8 July 2000 3:55
> > To: Mark C Smith
> > Cc: Kurt D. Zeilenga; ietf-ldapext@netscape.com; ietf-ldup@imc.org; Ed
> > Reed
> > Subject: Re: LDAP subentry alignment with X.500 subentry
> >
> >
> >
> > Mark,
> >
> > I would say that the complexity of the X.500 style specifier
> > would be a barrier
> > to it's adoption for the LDAP access control model.
> > So I would say some simplified subtree specifier would be
> > preferable (base,
> > onelevel, subtree ?).
>
> Would it be acceptable to use the X.500 SubtreeSpecification but
> constrain it for use in LDAP ? I would rather deal with a subset of
> existing functionality than a separate mechanism to do the same thing.
> It would also provide an obvious upgrade path in future versions of LDAP
> by relaxing the constraints, if it proves desirable.
>
> The simple subtree specifier above would be equivalent to providing
> only the "minimum" or "maximum" component of a ChopSpecification, e.g.
>
> base equates to "{ maximum 0 }"
> onelevel equates to "{ minimum 1, maximum 1 }" or maybe "{ maximum 1 }"
> subtree equates to "{ }"
>
> All other fields being absent.
>
> Regards,
> Steven
>
> >
> > Even ignoring the subtree specifier there are cons associated
> > with  putting acis
> > into subentries compared to just storing them as
> > attributes--for example you need
> > to control access to the subentries which, becuase subentries
> > do not behave like
> > ordinary entries, requires at least one additional aci
> > attribute (something like
> > entryACI or subEntryACI).
> >
> > Rob.
> >
> > Mark C Smith wrote:
> >
> > >
> > > > I primarily make these suggestions because I believe
> > these changes would
> > > > make subentries within LDAP more usable, in particular,
> > when used in
> > > > support of the access control model.
> > >
> > > Interesting.  Before we throw out the simple LDAPsubentry
> > that Ed has
> > > defined, I think someone should list the additional
> > requirements that
> > > are needed for the access control effort to successfully
> > use subentries.
> > >
> > > --
> > > Mark Smith
> > > iPlanet
> >
> >