Re: LDAPv3 Replication Access Control Design Team Report

["Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>]

At 06:23 AM 2002-09-13, John McMeeking wrote:
>It's been a while since I've dabbled in "necessary and sufficient" ;-)
>
>I'll grant that replication of access control attributes (or other policy
>information) is not "sufficient" to ensure equivalent enforcement of that
>policy on different servers, though in some cases (perhaps quite common),
>it will be sufficient.  You earlier referenced a note that explained that
>quite well.
>
>Replication of access control information (where the specific scheme has
>any attributes to replicate) is, however, "necessary."

But is necessary for LDUP to have any understanding that the
attributes to replicate hold access control information?  Is
in not sufficient to provide a means to transfer operational
information where the administrator, as stated in the replication
agreement, that this information should be transferred?

Is not it necessary, for security and other reasons, to not only
allow the administrator to control which user application attributes
are transferred, but to control which operational attributes
are transferred?

Why wouldn't these controls be insufficient for controlling
the transfer of access control information?

Kurt