[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Considering Attribute Subtypes during ACL evaluation
I agree with Steven
Helmut
> -----Original Message-----
> From: Steven Legg [mailto:steven.legg@adacel.com.au]
> Sent: Montag, 9. Oktober 2000 01:16
> To: 'Jim Sermersheim'
> Cc: ietf-ldapext@netscape.com
> Subject: RE: Considering Attribute Subtypes during ACL evaluation
>
>
>
> Jim,
>
> I can't find anything in X.500 that clarifies whether
> attribute subtyping
> applies when evaluating access controls. Our implementation ignores
> subtyping when making access control decisions. It seems the safer
> choice.
>
> Regards,
> Steven
>
> -----Original Message-----
> From: Jim Sermersheim [mailto:JIMSE@novell.com]
> Sent: Tuesday, 3 October 2000 9:40
> To: prasanta@netscape.com; Kurt@OpenLDAP.org
> Cc: ietf-ldapext@netscape.com; hahnt@us.ibm.com
> Subject: Re: Considering Attribute Subtypes during ACL evaluation
>
>
> I agree for the exact same reason optional support of attr
> subtyping). It
> would also be interesting to hear from the X.500 community on
> how this is
> handled by different vendors. I found the whole thing unspecified.
>
> Jim
>
>
> >>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 9/30/00 12:59:03 PM >>>
> At 07:39 AM 9/30/00 -0700, Prasanta Behera wrote:
> >Currently the netscape/iPlanet DS ACL supports a attribute
> inheritance of
> subtypes e.g. if you allow access to
> >"cn", it automatically means { cn, cn;* }
> >
> >However, it is much harder to map "name" to "cn, sn".
>
> Depends upon your server implementation... I argue that
> mapping "name" to "cn" is no harder than mapping "2.5.4.3"
> to "cn". Both require schema aware ACL evaluation and
> once you have that, supporting subtyping is likely no big
> deal. Implementing schema aware ACL evaluation may be hard,
> but it's already required to handle alternative naming
> of attribute types.
>
> However, given that subtyping is optional in LDAPv3, one
> could argue it's best to leave subtyping within ACLs as
> being optional.
>
> Kurt
>