[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: filters in ldapACI (WAS Re: I-D ACTION:draft-ietf-ldapext-acl-model-06.txt)



At 09:26 AM 7/23/00 +0100, David Chadwick wrote:
>This is precisely what X.500 ACI has as a feature. Only in this case 
>the object class filter is not part of the ldapACI attribute but part of 
>the subtree specification attribute that accompanies it in the 
>subentry. (HOwever the two are synonomous. They are just 
>different ways of structuring the same information i.e. one complex 
>attribute vs two simpler attributes that keep their relationship by 
>being together in a subentry.

Though both X.500 subentry and ldapACI offer sophisticated
scoping specification mechanisms, the X.500 subentry is a general
mechanism which can be applied to numerous features.  That
is, a server can implement the subentry complexity once
and then apply it to multiple features.  ldapACI's mechanism
is specific to the feature it provides.   Other attributes
would have to define it's own scoping mechanisms (or use
X.500's subentry provided mechanism).

There are, of course, a number of differences in the actual
scoping mechanisms.

Also, ldapACI could be scoped using ldapACISubentry (or
X.500 subentry for that matter).  The specification of such is
stated as being out of scope of the ACM I-D, which is wise.
The LDAPsubentry I-D does not define any scoping semantics
and appears to only provide a generic container for operational
information.  But that's another thread.