directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: [ApacheDS] Operation scope
Date Mon, 26 Sep 2005 18:11:37 GMT
Marc Boorshtein wrote:

> Actually it does, but not in a "direct" way.  I've seen the draft 
> model used with dynamic groups which would allow the same functionality.
Can you elaborate some more on this?  Also I think we do have group 
membership as a factor in determining ACI evaluation.  However this is 
not the same as using dynamic groups.

I guess a dynamic group is modeled as a filter and this filter exerts an 
assertion on an attribute's value within an entry to determine inclusion 
within a group.


> On 9/26/05, *Alex Karasulu* < 
> <>> wrote:
>     Trustin Lee wrote:
>     > I forgot to mention that it would be simpler to merge two operation
>     > scopes (attributeType and attributeValue) into one (attribute) so we
>     > have only two operation scopes (entry and attribute).  I don't
>     see any
>     > problem with this simplification for LDAP.  WDYT?
>     Yes I think we can make this simplification.  I looked to see if this
>     draft here has done the same though:
>     I could not see any ACI which limited operations based on the value of
>     an attribute.  This is perhaps an example where X.500 goes way beyond
>     what is necessary.
>     In either case I think the best philosophy for us is to take what we
>     initially is the best of X.500 and this draft to come out with a
>     working
>     implementation.  Let's start using it and having our users use
>     it.  Get
>     feedback from them and start compiling a set of use cases which users
>     want/need which our implementation does not provide.  Then we can go
>     back and easily add this functionality.
>     Over time we're going to find out what the optimal ACI descriptor
>     really is.
>     Alex

View raw message