On Fri, Jul 23, 2010 at 00:55, Emmanuel Lecharny <> wrote:

going deeper and deeper...

We currently don't make any difference between AAA and IAA (Autonomous Administrative Area and Inner Administrative Area). This is a problem as it's not in line with the RFCs and it pose a number of issues as all the subentries are then cummulative (except if chopAfter exclusions are used, but this is only a workaround).

For those of you who don't have any background on what AAA and IAA are and what they do, it's quite easy :
- AAA defines an area in the DIT starting at an AP (AdministrativePoint) nad going down to the tree until we met leaves or another AAP (Autonomous AP). The consequences is that if two AAA are defines in the same hierarchy, one below the other, they don't collide, and their respective subentries don't apply to anything but their own area.

(In the real world, it would be like if a manager gives order to all its subordinates, but if one of those subordinate is also a manager, then the top manager delegates everything to this manager, which may have totally different rules.)

- IAA defines an area that can be included into another area (either AAA or IAA), but their limit are the limit of their encapsulating AAA (ie, the area defined in an IAA is limited by the leaves or another AAA). The biggest difference is that subentries are cumulative : the IAA associated subentries are applied together with the encapsulating IAA or AAA.

(In the real word, this IAA represent a lower manager which has its own rules to manage its people, but those people are also submitted to the top manager rules... Sad world where the lower you are, the more rules you have to follow :)

So we don't support neither IAA nor AAA, all the area we define are IAA.

I think that we should implement both, to be fully compliant, assuming that it will clarify a lot of things...

Emmanuel Lécharny

Ersin ER