Marc Boorshtein wrote:
Just as an FYI, this is the model that Octet String's ACLs are based on (I think there are a few additions) and it's worked quite well for them.
Yes I figured this re: the implementation of [0]. Actually I was looking at the version of Octet String (OS) embedded within the BEA Weblogic server and discovered that this specification was implemented.
According to [0] though it looks as though a subentry is used but it's not a full subentry in the sense that it does not leverage a subtree specification as defined in [1]. Instead this draft presumes two kinds of ACI's: entryACI and subtreeACI. Makes sense though since this draft expired before [1] was ever proposed as a draft. The subtreeACI has a DN similar to the base of a subtree specification. It represents the subtree below that DN as far as I can gather. There is no chop component as I can see after a breif look.
Does the Octet String server implement subentries as defined in [1] for this purpose? Or does the server strictly follow this draft: [0]?
[0] http://www.ietf.org/proceedings/01aug/I-D/draft-ietf-ldapext-acl-model-08.txt
[1] http://rfc3672.x42.com/
