Re: LDAPv3 Replication Access Control Design Team Report

["Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>]

At 12:32 PM 2002-09-12, Timothy Hahn wrote:
>With respect to your comment:
>
>"Likewise, a standard framework for non-standard ACMs, by itself, is not
>sufficient."
>
>I have to ask:  Why not?

Because, like a standard ACM, any common non-standard ACM would
also depend on identity management and other security services.

>But it seems to me that for "replication", we're clearly talking about LDAP
>"server"s communicating with one another, with the intent that if a
>"client" lands on any one of those "replicating" servers, that the results
>of their query will be the SAME (modulo the "eventual convergence" issues
>of course).

That's one of may uses.  Another use is replicating information
between enterprises under some agreement .  This agreement can
allow each enterprise to define its own access control policy
(for access to the replicated information in that enterprise).
Other is where one uses two LCUP to replicating information
between an internal-use-only server and a publicly-accessible
server.

For security reasons, it may be inappropriate to replicate
access control information between servers!

>How can such a thing be provided unless the same access
>control semantics are applied (with respect to the information replicated)?

By divorcing itself from those semantics!

Kurt