[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: LDAP subentry alignment with X.500 subentry
Rob,
I can so no purpose either for a general filter in a subentry of for scopes
in entry ACI.
The problem with the former is that, if the filter relates to
telephoneNumber, for example, and the user deletes this attribute from his
entry, the ACI may now behave unpredictably.
The problem with scope in entry ACI is that, when searching below a scoped
entry, how do you determine the applicable ACI. Read all superior entries?
Since you asked for pros and cons, another aspect of entry ACI that is
suboptimal is the cost of applying it. Everyone seems to assume it is free
and yet it has a significant impact on server performance (no figures,
sorry). For example, suppose subtree A contains 10000 entries, 9000 of which
are in subtree B under A. Suppose user X is not authorised to access B.
Because of entry ACI, a search by X of the subtree A will result in all
10000 entries being read for their ACI, whereas the use of prescriptive
(subentry) ACI will mean that at most 1000 entries will be accessed.
Ron.
-----Original Message-----
From: Rob Byrne - Sun Microsystems [mailto:Robert.Byrne@france.Sun.COM]
Sent: Monday, 10 July 2000 19:50
To: Lloyd, Alan
Cc: steven.legg@adacel.com.au; 'Mark C Smith'; 'Kurt D. Zeilenga';
ietf-ldapext@netscape.com; ietf-ldup@imc.org; 'Ed Reed'
Subject: Re: LDAP subentry alignment with X.500 subentry
Hi Alan,
Thanks for that...but I think I was not precise enough in my question.
The current proposal for ldapACI does put them in entries but they come with
a
built in scope rule, which can be "subtree". So, I suppose my question is
rather, "apart from leveraging the scoping rule of subentries what is the
big
plus we get from putting acis into subentries ?".
Thanks,
Rob.
"Lloyd, Alan" wrote:
> The reason for ACI in subentries is that one can support the nested
> directory admin model and make domain based ACI decisions over distributed
> (X.500) DSAs. Whereas entry level ACI - may let a user do operations on
the
> directory using the directory resources only to find they are denied to do
> these at the entry level (and on millions of other entries.. ie entry
level
> ACI is easy to implement - but a rally bad way of working in terms of
system
> level resource protection, large scale protected distributed systems - and
> operationally hard to configure and manage..
>
> ie. configuring entry level ACI for millions of entries - across many
> servers - at the entry level takes time ... This process is also open to
> having errors introduced where back door holes might be the result of
> misconfiguration.
>
> If one adopts admin points and rules based configuration and deals with
> large scale distributed directory entries - then the nested admin model is
> best - simply becuase it does scale and is easier to operate with rules -
> This approach also align with conventional management models used by
> business ie top down. If an entry level aci is used - one must consider
the
> cost to configure and test, the use of directory resource before making
the
> actual ACI decision, the hierarchy of entries, their denials and
permissions
> and any alias derefencing...
>
> as an example - say one has a distributed directory with 250 million
entries
> in it and one wanted to apply a new rule for a new set of users and
business
> services - for each entry... if an entry takes even half a minute to
> configure.. the job will be a life time career...
>
> regards alan
>
> Stephen,
>
> snip
>
> However, I would also like to see a discussion of why we should put acis
> into subentries rather than just store them as ldapACI attributes in
> entries. What are the pros and cons ?
>
> Cheers,
> Rob.
>
> snip