Trustin Lee wrote:
2005/9/24, Alex Karasulu <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>:
> Now I see that we can get apDN easily in case of prescriptiveACI
> because it is an attribute of subentry. But what about
entryACI? How
> can I find an appropriate administrative point?
Question is does this evaluation apply? Do you need an AP at all to
evaluate for an entryACI?
There is a userClass called 'subtree'. It specifies users belong to
the specified subtree. The problem is that 'subtree' userClass
specifies only subtreeSpecifications. How can I evaluate them whether
the current user DN belongs to the subtree or not without knowing apDN?
So... I thought we might have to assume that there's only one
administrative point for users, 'ou=users, ou=system'. But I'm not
sure this is a right choice.
Yeah this is not a good presumption to make. The users can really go
anywhere. We are just using this container as a convention.
The problem as I understand it is that the subtreeSpecification is
supposed to select a set of users that can perform some operation on a
target entry. The ACIItem that contains this userClass can be
prescriptiveACI or entryACI. A subtreeSpecification is all you have
and the base of it is relative so how do you start evaluting a candidate
without a AP DN?
For this special case I would presume the base, relative name, of the
subtreeSpecification is really a DN. In other words the empty DN, the
RootDSE, is the Adminstrative Point.
The X.501 specifications really did a poor job with this userClass.
It's clearly a flaw in the spec.
Alex
