directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <>
Subject Re: [ApacheDS] Another failed draft on access control
Date Sun, 18 Sep 2005 16:32:38 GMT
Well, Octet String doesn't handle sub-entries (at least not in the X500 or 
apacheds sence). It's a virtual directory and so does not store any data 
locally (unless explicity through the local store adapter). ACLs are 
implemented as a flat file (a file of ACIs in the 2.X series and an XML 
representation in the 3.X serieas) that is loaded on system startup. This 
allowed for VDE to act without things like replication and backups. As for 
how close to the draft it is, it's fairly close, but has added some 
extensions that allow for some more flexability. 

On 9/18/05, Alex Karasulu <> wrote:
> Marc Boorshtein wrote:
> > Just as an FYI, this is the model that Octet String's ACLs are based
> > on (I think there are a few additions) and it's worked quite well for
> > them.
> Yes I figured this re: the implementation of [0]. Actually I was
> looking at the version of Octet String (OS) embedded within the BEA
> Weblogic server and discovered that this specification was implemented.
> According to [0] though it looks as though a subentry is used but it's
> not a full subentry in the sense that it does not leverage a subtree
> specification as defined in [1]. Instead this draft presumes two kinds
> of ACI's: entryACI and subtreeACI. Makes sense though since this draft
> expired before [1] was ever proposed as a draft. The subtreeACI has a
> DN similar to the base of a subtree specification. It represents the
> subtree below that DN as far as I can gather. There is no chop
> component as I can see after a breif look.
> Does the Octet String server implement subentries as defined in [1] for
> this purpose? Or does the server strictly follow this draft: [0]?
> [0]
> [1]

View raw message