Hi,
going deeper and deeper...
We currently don't make any difference between AAA and IAA (Autonomous
Administrative Area and Inner Administrative Area). This is a problem as
it's not in line with the RFCs and it pose a number of issues as all the
subentries are then cummulative (except if chopAfter exclusions are
used, but this is only a workaround).
For those of you who don't have any background on what AAA and IAA are
and what they do, it's quite easy :
- AAA defines an area in the DIT starting at an AP (AdministrativePoint)
nad going down to the tree until we met leaves or another AAP
(Autonomous AP). The consequences is that if two AAA are defines in the
same hierarchy, one below the other, they don't collide, and their
respective subentries don't apply to anything but their own area.
(In the real world, it would be like if a manager gives order to all its
subordinates, but if one of those subordinate is also a manager, then
the top manager delegates everything to this manager, which may have
totally different rules.)
- IAA defines an area that can be included into another area (either AAA
or IAA), but their limit are the limit of their encapsulating AAA (ie,
the area defined in an IAA is limited by the leaves or another AAA). The
biggest difference is that subentries are cumulative : the IAA
associated subentries are applied together with the encapsulating IAA or
AAA.
(In the real word, this IAA represent a lower manager which has its own
rules to manage its people, but those people are also submitted to the
top manager rules... Sad world where the lower you are, the more rules
you have to follow :)
So we don't support neither IAA nor AAA, all the area we define are IAA.
I think that we should implement both, to be fully compliant, assuming
that it will clarify a lot of things...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
