directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ersin Er <ersin...@gmail.com>
Subject Re: Auxiliary objectClasses for specific subentries
Date Tue, 06 Jun 2006 10:55:18 GMT
Alex Karasulu wrote:
> Ersin Er wrote:
>
>   
>> Hi all,
>>
>> I was looking at X.501 specification, section 14.5 about "System
>> schema supporting access control". It says:/
>>
>> If a subentry contains prescriptive access control information, then
>> its objectClass attribute shall contain the value
>> accessControlSubentry:
>>
>>     accessControlSubentry OBJECT-CLASS ::= {
>>         KIND auxiliary
>>         ID id-sc-accessControlSubentry }
>>
>> A subentry of this object class shall contain precisely one
>> prescriptive ACI attribute of a type consistent with the value of
>> the id-sc-accessControlScheme attribute of the corresponding access
>> control specific point.
>>
>> /My question is: what's the point of /not having/ an attribute
>> specifier in the objectClass definition like this:
>>
>> /    accessControlSubentry OBJECT-CLASS ::= {
>>         KIND auxiliary
>>         ID id-sc-accessControlSubentry
>>         MUST CONTAIN {prescriptiveACI} }
>> /?
>>     
>
> Hmmm this is odd.
>
> I think they may be allowing for flexibility to have the access control
> scheme use it's own attribute type for the prescriptiveACI.  So perhaps
> scheme xyz may use attribute abc for the prescriptiveACI atttribute with
> it's own syntax.
>   
Yeah, this was also my guess, which does not make much sense still.
> The problem here is that different schemes will introduce different
> syntaxes for defining a prescriptiveACI right?
Right. Prescriptive ACI syntax depends on the scheme. (WhichI had 
mentioned in another mail. Had asked why we do not have 
accessControlScheme. Waiting for reply ;-) )
> So then the auxiliary
> objectClass should not constrain the use of a specific attribute for the
> prescriptive aci. Meaning prescriptiveACI is specific to the basic
> accessControlScheme so we cannot require it for all schemes.
>   
Yeah, prescriptiveACI is specific to Basis Access Control as the 
accessControlScheme. However there still are gaps in my mind.
> HTH,
> Alex
Thanks for the reply.

-- 
Ersin


Mime
View raw message