Re: [ApacheDS] Another failed draft on access control

[Marc Boorshtein]

Well, Octet String doesn't handle sub-entries (at least not in the X500 or apacheds sence).  It's a virtual directory and so does not store any data locally (unless explicity through the local store adapter).  ACLs are implemented as a flat file (a file of ACIs in the 2.X series and an XML representation in the 3.X serieas) that is loaded on system startup.  This allowed for VDE to act without things like replication and backups.  As for how close to the draft it is, it's fairly close, but has added some extensions that allow for some more flexability. 

On 9/18/05, Alex Karasulu <[EMAIL PROTECTED]> wrote:

Marc Boorshtein wrote:

> Just as an FYI, this is the model that Octet String's ACLs are based
> on (I think there are a few additions) and it's worked quite well for
> them.

Yes I figured this re: the implementation of [0].  Actually I was
looking at the version of Octet String (OS) embedded within the BEA
Weblogic server and discovered that this specification was implemented.

According to [0] though it looks as though a subentry is used but it's
not a full subentry in the sense that it does not leverage a subtree
specification as defined in [1].  Instead this draft presumes two kinds
of ACI's: entryACI and subtreeACI.  Makes sense though since this draft
expired before [1] was ever proposed as a draft.  The subtreeACI has a
DN similar to the base of a subtree specification.  It represents the
subtree below that DN as far as I can gather.  There is no chop
component as I can see after a breif look.

Does the Octet String server implement subentries as defined in [1] for
this purpose?  Or does the server strictly follow this draft: [0]?

[0]
http://www.ietf.org/proceedings/01aug/I-D/draft-ietf-ldapext-acl-model-08.txt
[1] http://rfc3672.x42.com/