directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: [ApacheDS] another question while implementing ACDFEngine
Date Sat, 24 Sep 2005 00:52:52 GMT
Trustin Lee wrote:

> 2005/9/24, Alex Karasulu < 
> <>>:
>     > Now I see that we can get apDN easily in case of prescriptiveACI
>     > because it is an attribute of subentry.  But what about
>     entryACI?  How
>     > can I find an appropriate administrative point?
>     Question is does this evaluation apply? Do you need an AP at all to
>     evaluate for an entryACI?
> There is a userClass called 'subtree'.  It specifies users belong to 
> the specified subtree.  The problem is that 'subtree' userClass 
> specifies only subtreeSpecifications.  How can I evaluate them whether 
> the current user DN belongs to the subtree or not without knowing apDN?
> So... I thought we might have to assume that there's only one 
> administrative point for users, 'ou=users, ou=system'.  But I'm not 
> sure this is a right choice.

Yeah this is not a good presumption to make.  The users can really go 
anywhere.  We are just using this container as a convention. 

The problem as I understand it is that the subtreeSpecification is 
supposed to select a set of users that can perform some operation on a 
target entry.  The ACIItem that contains this userClass can be 
prescriptiveACI or entryACI.   A subtreeSpecification is all you have 
and the base of it is relative so how do you start evaluting a candidate 
without a AP DN?

For this special case I would presume the base, relative name, of the 
subtreeSpecification is really a DN.  In other words the empty DN, the 
RootDSE, is the Adminstrative Point.

The X.501 specifications really did a poor job with this userClass.  
It's clearly a flaw in the spec.


View raw message