Trustin Lee wrote:
I forgot to mention that it would be simpler to merge two operation
scopes (attributeType and attributeValue) into one (attribute) so we
have only two operation scopes (entry and attribute). I don't see any
problem with this simplification for LDAP. WDYT?
Yes I think we can make this simplification. I looked to see if this
draft here has done the same though:
http://www.ietf.org/proceedings/01aug/I-D/draft-ietf-ldapext-acl-model-08.txt
I could not see any ACI which limited operations based on the value of
an attribute. This is perhaps an example where X.500 goes way beyond
what is necessary.
In either case I think the best philosophy for us is to take what we
initially is the best of X.500 and this draft to come out with a working
implementation. Let's start using it and having our users use it. Get
feedback from them and start compiling a set of use cases which users
want/need which our implementation does not provide. Then we can go
back and easily add this functionality.
Over time we're going to find out what the optimal ACI descriptor really is.
Alex
