Hi Jim,
X.500 says for opinion nothing
about AccessControl and subtyping. Access Control can be given on
an
attribute basis and have
nothing to do with the subtyping of attributes.
Subtypes are defined in the
schema and are only used in the search, if you
give a supertype in a filter
item all subtypes will be searched also.
Helmut
I agree for the exact same reason optional support of attr
subtyping). It would also be interesting to hear from the X.500 community on
how this is handled by different vendors. I found the whole thing
unspecified.
Jim
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 9/30/00
12:59:03 PM >>> At 07:39 AM 9/30/00 -0700, Prasanta Behera
wrote: >Currently the netscape/iPlanet DS ACL supports a attribute
inheritance of subtypes e.g. if you allow access to >"cn", it
automatically means { cn, cn;* } > >However, it is much harder to
map "name" to "cn, sn".
Depends upon your server
implementation... I argue that mapping "name" to "cn" is no harder
than mapping "2.5.4.3" to "cn". Both require schema aware ACL
evaluation and once you have that, supporting subtyping is likely no
big deal. Implementing schema aware ACL evaluation may be hard, but it's
already required to handle alternative naming of attribute
types.
However, given that subtyping is optional in LDAPv3,
one could argue it's best to leave subtyping within ACLs as being
optional.
Kurt
|