Re: Fwd: Brainstorming: Subentry subordinates and assigning an Administrative Area to
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > Apache Server configuration support > Apache Directory Project > Re: Fwd: Brainstorming: Subentry subordinates and assigning an Administrative Area to




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Re: Fwd: Brainstorming: Subentry subordinates and assigning an Administrative Area to   
Ersin Er


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
12-21-06 12:11 AM

Hi Jim,

I am glad that to reach some clearification but it should also be
reflected on the draft. On the other side, in my (current) opinion, we
at apache, will go on with a more X.500 friendly way where all the
policy information are stored in a single attribute. So we can use
this syntax in both entryPasswordPolicy and prescriptivePasswordPolicy
attributes (like ACIItems in entryACI and prescriptiveACI attributes).

I had started a very preliminary page on our wiki here:
[url]http://cwiki.apache.org/DIRxSRVx11/account-and-password-policy-management.html[/ur
l]
In the following days we'll improve the scheme we propose and also we
can contribute to the RFC.

Best,

--
Ersin Er

On 12/20/06, Jim Sermersheim <jimse-Et1tbQHTxzrQT0dZR+AlfA@public.gmane.org> wrote:
>
>
> Ersin,
>
> Thanks for the feedback.
>
> On the first point, I imagine (though can't remember exactly) that it's a
> typo and we meant to say something like: "But password policies could also
> be in separate sub entries as long as they are contained under the same LD
AP
> entry."  Meaning, one could have two or more subentries at the same
> adnimistrative point in the tree.
>
> On the second point, your interpretation and clarifications are exactly wh
at
> we had intended.  I can't speak for Ludo, but I'm happy to let you make
> edits to the document at re-publish.  Last time I edited it was 17 months
> ago 
> http://forgecvs1.novell.com/viewcvs...xx.xml?view=log
>
> Let me know if you're interested. If you are, make yourself a user account
> on forge.novell.com and I'll let you play with it (unless Ludo has some
> concern).
>
> Jim
> 
> Hi,
>
> I was reading your LDAP pwdPolicy draft and I shared some of my thoughts o
n
> it with ApacheDS developers list. Now I am also forwarding that e-mail to
> you. Although it the e-mail contain a little ApacheDS related stuff, can y
ou
> please respond to my questions about the model you propose?
>
> Thanks in advance.
>
> ---------- Forwarded message ----------
> From: Ersin Er <ersin.er-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Date: Dec 17, 2006 12:20 PM
> Subject: Brainstorming: Subentry subordinates and assigning an
> Administrative Area to each user in the DIT
> To: Apache Directory Developers List <dev-aYN4UCa7k1r1N9kud6OZbmD2FQJk+8+b
@public.gmane.org >
>
> Hi,
>
> I was just reading the draft: Password Policy for LDAP Directories [1]
. It
> defines an auxiliary object class to define a set of password policy rules
> in an entry.
>
> What I was interested in is the administration of this policy object. A bu
lb
> appeared above my head telling me that this is a nice fit for the
> Administrative Model and I saw that the RFC also suggests the same thing.
> However, that is the weakest part of the RFC. Let me quote it:
>
> 
>
> The first thing I did not understand is the following sentence:
>
> 
>
> What is a "sub entry" and what does it mean being "under the same LDAP
> subentry. Subentries cannot have any subordinates according to X.500. RFC
> 3672 does not say anything about this but having subentry subordinates may
> break the model. So do we need to allow something like this?
>
> Another point that is interesting is the following sentence:
>
> 
>
> Does that mean making each user entry an Administrative Point? This may ma
ke
> sense in certain situations: If your password policy object cannot be
> defined as a single attribute as the entryACI, then you need to store that
> information with separate attributes distributed in an entry. This is OK f
or
> subentries, but when you want to apply this policy to a single (user) entr
y,
> you will cause a clutter in the that entry. So if you define a user entry 
as
> a Password Policy Administrative Point and if you put a
> passwordPolicySubentry (with policy attributes) subordinate to it with
> subtreeSpecification: { maximum 1 }, then you will achieve the
> effective-on-one-entry-and-still-multi-attribute scheme.
> Does this make sense for you?
>
> BTW, the sentence tells about "overwriting". For overwriting there is need
> for a precedence facility. Otherwise both the global pwdPolicy and the
> user-local pwdPolicy will apply to the entry. This is one of the problems 
I
> see about the specification.
>
> WDYT?
>
> [1]
> http://tools.ietf.org/html/draft-be...password-policy
>
> --
> Ersin Er
>
> --
> Ersin


--
Ersin




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 12:12 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register