I agree for the exact same reason optional support of attr
subtyping). It would also be interesting to hear from the X.500 community on how
this is handled by different vendors. I found the whole thing
unspecified.
Jim
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 9/30/00 12:59:03 PM >>> At 07:39 AM 9/30/00 -0700, Prasanta Behera wrote: >Currently the netscape/iPlanet DS ACL supports a attribute inheritance of subtypes e.g. if you allow access to >"cn", it automatically means { cn, cn;* } > >However, it is much harder to map "name" to "cn, sn". Depends upon your server implementation... I argue that mapping "name" to "cn" is no harder than mapping "2.5.4.3" to "cn". Both require schema aware ACL evaluation and once you have that, supporting subtyping is likely no big deal. Implementing schema aware ACL evaluation may be hard, but it's already required to handle alternative naming of attribute types. However, given that subtyping is optional in LDAPv3, one could argue it's best to leave subtyping within ACLs as being optional. Kurt |