directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: ACLs questions
Date Tue, 17 May 2005 01:45:22 GMT
Marc Boorshtein wrote:

>>>2 - What about having an "openLDAP like"
>>simplified ACL mechanism ?
>>I don't know I have not put enough thought to this
>>because there are so 
>>many things standing in my way right now like
>>implementing subentires so 
>>we can store ACLs ;).  However going with their
>>scheme might be a good 
>>idea.  Can you take the time to research the
>>strengths and weaknesses 
>>with this approach? 
>just a note.  i don't think you'd want to store an ACL
>entry as a subtree on an entry.  ACL's can have scope,
>so if you store it at the entry level then you'll need
>to find the correct entries to determine the correct
>access controls.
X.500 subentries are recommended to store various information for an 
autonomous administrative area.  The area can be for schema, ACLs, or 
collective attributes.  The area of coverage for the contained 
information in the subentry is defined by the subtree specification 
which includes parameters for chop before, chop after, and subtree 
refinements.  This is all X.500 stuff that the LDAP community is 
reintroducing today.  One can almost say there is a subtle convergence 
going on. 

If you want to commit to something we can explore implementing 
subentries together first.  Next we need to include support for schema 
structures for subtree specifications and algorithms for subtree entry 
set inclusion evaluation.  Finally we can begin talking about 
implementing the actual ACL mechanism - IMO the ACL mechanism can be 
developed in parallel and stored somewhere else until we complete these 
components in parallel.  This way Tony can begin working with us as well.


View raw message