directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <>
Subject Re: [ApacheDS][Core] About the "extended" subtree specifications w.r.t. several ACI components
Date Fri, 06 Apr 2007 17:33:19 GMT
Ersin, thanks for the clear explanation.

As you are our ACI expert, could you please test the current version of
the ACI editor and give PAM and me some feedback?

Here is a confluence page with the implemented and missing features:


Ersin Er schrieb:
> Hi all,
> As PAM and Stefan are close to finishing the ACI editor, they have
> asked me a few questions about the "extended" subtree specification I
> introduced in 1.5. Although I have explained these changes on JIRA and
> IRC, I wanted to record them here on the list also.
> What we did in 1.5 branch about Subentries and subtreeSpecifications
> in particular is allowing regular LDAP filters to be used in the
> specification instead of refinements. Refinements can only be used to
> specify boolean combinations of object classes. However it is obvious
> that in this new "flat" directory world, people would like to "select"
> portions of the DIT via any entry attributes as well as objectClass.
> So people would like to be able to specify a set of entries to protect
> via ACIs not only saying "those persons (according to objectClass
> attribute)" but also saying "those persons who are from X department
> (according to some user attribute)". This is what we provided.
> So, now, regarding to subtreeSpecification related components in ACIs.
> They have not been effected by this change because they cannot be and
> we did not want also. There are two components that may come to mind
> about this change. First is the "classes" protected item and the
> second one is "subtree" user class. The "classes" protected item has
> the refinement syntax and it is really used for specifying a boolean
> combination of object classes. It can never include regular attributes
> other than object class values. So it does not have to support the
> LDAP filter syntax. The "subtree" user class, although it has
> subtreeSpecification syntax (particularly), it does not even support
> refinements; so there is nothing to be replaced with ldap filters.
> I hope it's clear.

View raw message