[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: filters in ldapACI (WAS Re: I-D ACTION:draft-ietf-ldapext-acl-model-06.txt)



Date forwarded: 	Fri, 21 Jul 2000 07:46:13 -0700 (PDT)
Date sent:      	Fri, 21 Jul 2000 16:45:33 +0200
From:           	Rob Byrne - Sun Microsystems <Robert.Byrne@france.Sun.COM>
Organization:   	Sun Microsystems
Copies to:      	Haripriya S <SHARIPRIYA@novell.com>, ietf-ldapext@netscape.com
Subject:        	Re: filters in ldapACI (WAS Re: I-D 
	ACTION:draft-ietf-ldapext-acl-model-06.txt)
To:             	ietf-ldapext@netscape.com
Forwarded by:   	ietf-ldapext@netscape.com

> 
> Haripriya,
> 
> You are right that there is no way to do this in the current draft. I
> think it's a useful feature and should probably be added.
> 
> It involves adding the capability to specify an LDAP filter
> (restricted to objectclass only ?) to the ldapACI.

This is precisely what X.500 ACI has as a feature. Only in this case 
the object class filter is not part of the ldapACI attribute but part of 
the subtree specification attribute that accompanies it in the 
subentry. (HOwever the two are synonomous. They are just 
different ways of structuring the same information i.e. one complex 
attribute vs two simpler attributes that keep their relationship by 
being together in a subentry. My familier of entries ID further 
extended this model to be fully general for any entry)

David

> Rob.
> 
> >  In the current model of ACL I cannot find how to actually set ACLs
> >  for a 'to be created entry' based on its objectClass. For example,
> >  I may want a set of ACLs to be present for all the objects of type
> >  inetorgperson, to expose certain attributes by default to even an
> >  unauthenticated user. It would help in this case, if I have
> >  mechanism's to set ACLs for the objectclass itself, so that any
> >  entry of that class created automatically gets these ACLs. The
> >  other alternative would be for me to set these ACLs at one parent
> >  with scope subtree and let all the entries under that parent
> >  inherit these ACLs. But this would not let me distinguish by
> >  objectclass ( I may want to expose cn for inetorgperson but not for
> >  residentialperson by default). Does anybody have ideas on this?
> >
> >  Thanks and Regards,
> >  Haripriya
> >
> 


***************************************************

David Chadwick
IS Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
Mobile +44 790 167 0359
Email D.W.Chadwick@salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************