directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <aok...@bellsouth.net>
Subject Re: Auxiliary objectClasses for specific subentries
Date Tue, 06 Jun 2006 14:50:55 GMT
Ersin Er wrote:

> Hi all,
>
> I was looking at X.501 specification, section 14.5 about "System
> schema supporting access control". It says:/
>
> If a subentry contains prescriptive access control information, then
> its objectClass attribute shall contain the value
> accessControlSubentry:
>
>     accessControlSubentry OBJECT-CLASS ::= {
>         KIND auxiliary
>         ID id-sc-accessControlSubentry }
>
> A subentry of this object class shall contain precisely one
> prescriptive ACI attribute of a type consistent with the value of
> the id-sc-accessControlScheme attribute of the corresponding access
> control specific point.
>
> /My question is: what's the point of /not having/ an attribute
> specifier in the objectClass definition like this:
>
> /    accessControlSubentry OBJECT-CLASS ::= {
>         KIND auxiliary
>         ID id-sc-accessControlSubentry
>         MUST CONTAIN {prescriptiveACI} }
> /?

Hmmm this is odd.

I think they may be allowing for flexibility to have the access control
scheme use it's own attribute type for the prescriptiveACI.  So perhaps
scheme xyz may use attribute abc for the prescriptiveACI atttribute with
it's own syntax.

The problem here is that different schemes will introduce different
syntaxes for defining a prescriptiveACI right?  So then the auxiliary
objectClass should not constrain the use of a specific attribute for the
prescriptive aci.  Meaning prescriptiveACI is specific to the basic
accessControlScheme so we cannot require it for all schemes.

HTH,
Alex


Mime
View raw message