[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: LDAP subentry alignment with X.500 subentry
Rob,
I wasn't try to say that filters are not unpredictable, or that the scheme
you propose is unworkable.
My point is simply that, if Joe Average, Sytem Administrator, defines a
filter (eq employees with manager X cannot access payroll files) and if
user's actually have access to that attribute, there may be security
implications (eg user deletes manager attribute). Note that filters have
syntax (easy), semantics (harder) and exception (very hard). One exception
is the tri-valued nature of the filter ('unknown').
Ron.
-----Original Message-----
From: Rob Byrne - Sun Microsystems [mailto:Robert.Byrne@france.sun.com]
Sent: Friday, 14 July 2000 2:08
To: Lloyd, Alan; Ramsay, Ron; ietf-ldapext@netscape.com;
Albert.Langer@directory-designs.org
Subject: Re: LDAP subentry alignment with X.500 subentry
Ron/Alan/Albert,
Thanks for your responses.
<snip>
[Ron]
I can so no purpose either for a general filter in a subentry of for scopes
in entry ACI.
The problem with the former is that, if the filter relates to
telephoneNumber, for example, and the user deletes this attribute from his
entry, the ACI may now behave unpredictably.
Ron, in our LDAP server we provide this as a way to define entries to which
acis apply and this feature is used. The effect is not unpredictable--the
behaviour of filters is well defined. Though I agree that if the admin does
not define his policy well, the effect may be unexpected. I think that the
use of this feature provides flexibilty but demands good management by the
admin--I guess it's a trade off.
<snip>