Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 14858 invoked from network); 6 Jun 2006 11:01:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 6 Jun 2006 11:01:14 -0000 Received: (qmail 38521 invoked by uid 500); 6 Jun 2006 11:01:13 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 38477 invoked by uid 500); 6 Jun 2006 11:01:13 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 38466 invoked by uid 99); 6 Jun 2006 11:01:13 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Jun 2006 04:01:13 -0700 X-ASF-Spam-Status: No, hits=3.4 required=10.0 tests=DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of aok123@bellsouth.net designates 205.152.59.64 as permitted sender) Received: from [205.152.59.64] (HELO imf16aec.mail.bellsouth.net) (205.152.59.64) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Jun 2006 04:01:12 -0700 Received: from ibm56aec.bellsouth.net ([65.80.200.112]) by imf16aec.mail.bellsouth.net with ESMTP id <20060606110051.VPTP9760.imf16aec.mail.bellsouth.net@ibm56aec.bellsouth.net> for ; Tue, 6 Jun 2006 07:00:51 -0400 Received: from [172.16.1.39] (really [65.80.200.112]) by ibm56aec.bellsouth.net with ESMTP id <20060606110051.NNIO1096.ibm56aec.bellsouth.net@[172.16.1.39]> for ; Tue, 6 Jun 2006 07:00:51 -0400 Message-ID: <4485989E.1020100@bellsouth.net> Date: Tue, 06 Jun 2006 11:00:46 -0400 From: Alex Karasulu User-Agent: Mozilla Thunderbird 1.0.8 (X11/20060502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: Auxiliary objectClasses for specific subentries References: <448539CB.2080207@gmail.com> <4485964F.7050908@bellsouth.net> <44855F16.4010001@gmail.com> In-Reply-To: <44855F16.4010001@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Ersin Er wrote: > Alex Karasulu wrote: > >> Ersin Er wrote: >> >> >> >>> Hi all, >>> >>> I was looking at X.501 specification, section 14.5 about "System >>> schema supporting access control". It says:/ >>> >>> If a subentry contains prescriptive access control information, then >>> its objectClass attribute shall contain the value >>> accessControlSubentry: >>> >>> accessControlSubentry OBJECT-CLASS ::= { >>> KIND auxiliary >>> ID id-sc-accessControlSubentry } >>> >>> A subentry of this object class shall contain precisely one >>> prescriptive ACI attribute of a type consistent with the value of >>> the id-sc-accessControlScheme attribute of the corresponding access >>> control specific point. >>> >>> /My question is: what's the point of /not having/ an attribute >>> specifier in the objectClass definition like this: >>> >>> / accessControlSubentry OBJECT-CLASS ::= { >>> KIND auxiliary >>> ID id-sc-accessControlSubentry >>> MUST CONTAIN {prescriptiveACI} } >>> /? >>> >> >> >> Hmmm this is odd. >> >> I think they may be allowing for flexibility to have the access control >> scheme use it's own attribute type for the prescriptiveACI. So perhaps >> scheme xyz may use attribute abc for the prescriptiveACI atttribute with >> it's own syntax. >> > > Yeah, this was also my guess, which does not make much sense still. > >> The problem here is that different schemes will introduce different >> syntaxes for defining a prescriptiveACI right? > > Right. Prescriptive ACI syntax depends on the scheme. (WhichI had > mentioned in another mail. Had asked why we do not have > accessControlScheme. Waiting for reply ;-) ) Man I'm sorry. The response to this is we need it and I just forgot to add it. There is a jira on fixing this. >> So then the auxiliary >> objectClass should not constrain the use of a specific attribute for the >> prescriptive aci. Meaning prescriptiveACI is specific to the basic >> accessControlScheme so we cannot require it for all schemes. >> > > Yeah, prescriptiveACI is specific to Basis Access Control as the > accessControlScheme. However there still are gaps in my mind. Well this is why these guys did it the way they did IMO. They did not include this prescriptiveACI atttribute int the objectClass' must list because it would tie the implementation to the syntax of the basic access control scheme. Alex