[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: LDAP subentry alignment with X.500 subentry
No worries - but the real issue to me is an administrative plane in a
directory for schema, collectives, security, aci, etc means that these
entries can be partitioned into their own regime - in that there is
administrative security applied to these entries and they get named
seperately from the "user entry plane"..ie does the ACI on ORG x get its ACI
properties from a management plane of named entries (which have their own
ACI regime - distinct from the user ACI regime ) or are they coupled because
it all exists as one compound entry.
There are five aspects to ACI..that is coupled to the User authentication
process.. these are
The Name Space
The Object Class of the entry
The attribute type/value within OC/entry
and the Time the operation is allowed.
Given that very strong ACI code (in terms of vetting) can be applied to the
directory operation and name space of the entry and its OC. Having named
subentries for management is a much more trustworthy approach than compound
OCs that exist under a User "named" DIT. In addition if entries are renamed
becuase of business, service and user changes, it may means the ACI
management model has to be recalculated re its security. Whereas the named
entry for management - admin model is still the ACI and schema reference
point in the directory.
Naturally this discussion can be lengthy - but one area that one looks at in
military security - is "seperation of duty" - and how operations that change
one thing affect others.. An explicit "named" management and security
information model with its own privileges and ACI - to me is much better
than a compound one - that can be accidentally affected by such things a
user information name changes..
I hope this "helps"..
From: Rob Byrne - Sun Microsystems [mailto:Robert.Byrne@xxxxxxxxxxxxxx]
Sent: Monday, July 10, 2000 7:50 PM
To: Lloyd, Alan
Cc: steven.legg@xxxxxxxxxxxxx; 'Mark C Smith'; 'Kurt D. Zeilenga';
ietf-ldapext@xxxxxxxxxxxx; ietf-ldup@xxxxxxx; 'Ed Reed'
Subject: Re: LDAP subentry alignment with X.500 subentry
Thanks for that...but I think I was not precise enough in my question.
The current proposal for ldapACI does put them in entries but they come with
built in scope rule, which can be "subtree". So, I suppose my question is
rather, "apart from leveraging the scoping rule of subentries what is the
plus we get from putting acis into subentries ?".
"Lloyd, Alan" wrote:
> The reason for ACI in subentries is that one can support the nested
> directory admin model and make domain based ACI decisions over distributed
> (X.500) DSAs. Whereas entry level ACI - may let a user do operations on
> directory using the directory resources only to find they are denied to do
> these at the entry level (and on millions of other entries.. ie entry
> ACI is easy to implement - but a rally bad way of working in terms of
> level resource protection, large scale protected distributed systems - and
> operationally hard to configure and manage..
> ie. configuring entry level ACI for millions of entries - across many
> servers - at the entry level takes time ... This process is also open to
> having errors introduced where back door holes might be the result of
> If one adopts admin points and rules based configuration and deals with
> large scale distributed directory entries - then the nested admin model is
> best - simply becuase it does scale and is easier to operate with rules -
> This approach also align with conventional management models used by
> business ie top down. If an entry level aci is used - one must consider
> cost to configure and test, the use of directory resource before making
> actual ACI decision, the hierarchy of entries, their denials and
> and any alias derefencing...
> as an example - say one has a distributed directory with 250 million
> in it and one wanted to apply a new rule for a new set of users and
> services - for each entry... if an entry takes even half a minute to
> configure.. the job will be a life time career...
> regards alan
> However, I would also like to see a discussion of why we should put acis
> into subentries rather than just store them as ldapACI attributes in
> entries. What are the pros and cons ?