You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Trustin Lee <tr...@gmail.com> on 2005/09/23 15:11:06 UTC
[ApacheDS] another question while implementing ACDFEngine
Hi,
I implemented evaluation logic for UserItem.Classes and
ProtectedItem.RangeOfValues thanks to Alex's help, but I still don't know
how to implement it for UserItem.Subtree. It looks like SubtreeEvaluator
requires many parameters I don't understand yet.
Any idea about how to use SubtreeEvaluator? Please take a look at my ACDF
implementation at:
http://svn.apache.org/viewcvs.cgi/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/ACDFEngine.java?rev=291080&view=markup
I commented out my evaluation code. Please find 'instanceof
UserClass.Subtree' then you'll see where I've commented out.
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Trustin Lee <tr...@gmail.com>.
2005/9/23, Trustin Lee <tr...@gmail.com>:
>
> Now I see that we can get apDN easily in case of prescriptiveACI because
> it is an attribute of subentry. But what about entryACI? How can I find an
> appropriate administrative point?
I thought over this and I concluded that 'ou=users,ou=system' should be apDN
thought it doesn't need to be a real administrative point. We should be OK
to evaluate SubtreeSpecification with apDN regardless it is an
administrative point or not. Just fixing administration point for users
helps me to implement 'subtree' userClass without much compromise. WDYT?
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Alex Karasulu <ao...@bellsouth.net>.
Trustin Lee wrote:
> 2005/9/24, Alex Karasulu <aok123@bellsouth.net
> <ma...@bellsouth.net>>:
>
> > Now I see that we can get apDN easily in case of prescriptiveACI
> > because it is an attribute of subentry. But what about
> entryACI? How
> > can I find an appropriate administrative point?
>
> Question is does this evaluation apply? Do you need an AP at all to
> evaluate for an entryACI?
>
>
> There is a userClass called 'subtree'. It specifies users belong to
> the specified subtree. The problem is that 'subtree' userClass
> specifies only subtreeSpecifications. How can I evaluate them whether
> the current user DN belongs to the subtree or not without knowing apDN?
>
> So... I thought we might have to assume that there's only one
> administrative point for users, 'ou=users, ou=system'. But I'm not
> sure this is a right choice.
Yeah this is not a good presumption to make. The users can really go
anywhere. We are just using this container as a convention.
The problem as I understand it is that the subtreeSpecification is
supposed to select a set of users that can perform some operation on a
target entry. The ACIItem that contains this userClass can be
prescriptiveACI or entryACI. A subtreeSpecification is all you have
and the base of it is relative so how do you start evaluting a candidate
without a AP DN?
For this special case I would presume the base, relative name, of the
subtreeSpecification is really a DN. In other words the empty DN, the
RootDSE, is the Adminstrative Point.
The X.501 specifications really did a poor job with this userClass.
It's clearly a flaw in the spec.
Alex
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Trustin Lee <tr...@gmail.com>.
2005/9/24, Alex Karasulu <ao...@bellsouth.net>:
>
> > Now I see that we can get apDN easily in case of prescriptiveACI
> > because it is an attribute of subentry. But what about entryACI? How
> > can I find an appropriate administrative point?
>
> Question is does this evaluation apply? Do you need an AP at all to
> evaluate for an entryACI?
There is a userClass called 'subtree'. It specifies users belong to the
specified subtree. The problem is that 'subtree' userClass specifies only
subtreeSpecifications. How can I evaluate them whether the current user DN
belongs to the subtree or not without knowing apDN?
So... I thought we might have to assume that there's only one administrative
point for users, 'ou=users, ou=system'. But I'm not sure this is a right
choice.
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Alex Karasulu <ao...@bellsouth.net>.
Trustin Lee wrote:
> Now I see that we can get apDN easily in case of prescriptiveACI
> because it is an attribute of subentry. But what about entryACI? How
> can I find an appropriate administrative point?
Question is does this evaluation apply? Do you need an AP at all to
evaluate for an entryACI?
Alex
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Trustin Lee <tr...@gmail.com>.
Now I see that we can get apDN easily in case of prescriptiveACI because it
is an attribute of subentry. But what about entryACI? How can I find an
appropriate administrative point?
Trustin
2005/9/23, Alex Karasulu <ao...@bellsouth.net>:
>
> Trustin Lee wrote:
>
> > I've found that my main concern is how to find what apDN is. It looks
> > like I can find apDN by climbing up the DIT from the entry with user
> > DN. But I'm not sure about this. Anyone knows about this? Which
> > administrative point should I choose?
>
> This evaluator (for refinements I would guess) was must have been
> designed for evaluating inclusion within a subentry. In this case, the
> apDN is the DN of administrative point, the parent just above the
> subentry. In it's use with subtreeSpecification inclusion evaluation
> (mouth full) this evaluator is fed the specification, the apDn and the
> objectClasses of the candidate entry being evaluated.
>
> HTH,
> Alex
>
>
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Alex Karasulu <ao...@bellsouth.net>.
Trustin Lee wrote:
> I've found that my main concern is how to find what apDN is. It looks
> like I can find apDN by climbing up the DIT from the entry with user
> DN. But I'm not sure about this. Anyone knows about this? Which
> administrative point should I choose?
This evaluator (for refinements I would guess) was must have been
designed for evaluating inclusion within a subentry. In this case, the
apDN is the DN of administrative point, the parent just above the
subentry. In it's use with subtreeSpecification inclusion evaluation
(mouth full) this evaluator is fed the specification, the apDn and the
objectClasses of the candidate entry being evaluated.
HTH,
Alex
Re: [ApacheDS] another question while implementing ACDFEngine
Posted by Trustin Lee <tr...@gmail.com>.
I've found that my main concern is how to find what apDN is. It looks like I
can find apDN by climbing up the DIT from the entry with user DN. But I'm
not sure about this. Anyone knows about this? Which administrative point
should I choose?
Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/