mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-24 13:24:56 +08:00
508 lines
18 KiB
Plaintext
508 lines
18 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group E. Stokes
|
|||
|
Request for Comments: 2820 D. Byrne
|
|||
|
Category: Informational IBM
|
|||
|
B. Blakley
|
|||
|
Dascom
|
|||
|
P. Behera
|
|||
|
Netscape
|
|||
|
May 2000
|
|||
|
|
|||
|
|
|||
|
Access Control Requirements for LDAP
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This memo provides information for the Internet community. It does
|
|||
|
not specify an Internet standard of any kind. Distribution of this
|
|||
|
memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2000). All Rights Reserved.
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document describes the fundamental requirements of an access
|
|||
|
control list (ACL) model for the Lightweight Directory Application
|
|||
|
Protocol (LDAP) directory service. It is intended to be a gathering
|
|||
|
place for access control requirements needed to provide authorized
|
|||
|
access to and interoperability between directories.
|
|||
|
|
|||
|
The keywords "MUST", "SHOULD", and "MAY" used in this document are to
|
|||
|
be interpreted as described in [bradner97].
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
The ability to securely access (replicate and distribute) directory
|
|||
|
information throughout the network is necessary for successful
|
|||
|
deployment. LDAP's acceptance as an access protocol for directory
|
|||
|
information is driving the need to provide an access control model
|
|||
|
definition for LDAP directory content among servers within an
|
|||
|
enterprise and the Internet. Currently LDAP does not define an
|
|||
|
access control model, but is needed to ensure consistent secure
|
|||
|
access across heterogeneous LDAP implementations. The requirements
|
|||
|
for access control are critical to the successful deployment and
|
|||
|
acceptance of LDAP in the market place.
|
|||
|
|
|||
|
The RFC 2119 terminology is used in this document.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 1]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
2. Objectives
|
|||
|
|
|||
|
The major objective is to provide a simple, but secure, highly
|
|||
|
efficient access control model for LDAP while also providing the
|
|||
|
appropriate flexibility to meet the needs of both the Internet and
|
|||
|
enterprise environments and policies.
|
|||
|
|
|||
|
This generally leads to several general requirements that are
|
|||
|
discussed below.
|
|||
|
|
|||
|
3. Requirements
|
|||
|
|
|||
|
This section is divided into several areas of requirements: general,
|
|||
|
semantics/policy, usability, and nested groups (an unresolved issue).
|
|||
|
The requirements are not in any priority order. Examples and
|
|||
|
explanatory text is provided where deemed necessary. Usability is
|
|||
|
perhaps the one set of requirements that is generally overlooked, but
|
|||
|
must be addressed to provide a secure system. Usability is a security
|
|||
|
issue, not just a nice design goal and requirement. If it is
|
|||
|
impossible to set and manage a policy for a secure situation that a
|
|||
|
human can understand, then what was set up will probably be non-
|
|||
|
secure. We all need to think of usability as a functional security
|
|||
|
requirement.
|
|||
|
|
|||
|
3.1 General
|
|||
|
|
|||
|
G1. Model SHOULD be general enough to support extensibility to add
|
|||
|
desirable features in the future.
|
|||
|
|
|||
|
G2. When in doubt, safer is better, especially when establishing
|
|||
|
defaults.
|
|||
|
|
|||
|
G3. ACL administration SHOULD be part of the LDAP protocol. Access
|
|||
|
control information MUST be an LDAP attribute.
|
|||
|
|
|||
|
G4. Object reuse protection SHOULD be provided and MUST NOT inhibit
|
|||
|
implementation of object reuse. The directory SHOULD support policy
|
|||
|
controlling the re-creation of deleted DNs, particularly in cases
|
|||
|
where they are re-created for the purpose of assigning them to a
|
|||
|
subject other than the owner of the deleted DN.
|
|||
|
|
|||
|
3.2 Semantics / Policy
|
|||
|
|
|||
|
S1. Omitted as redundant; see U8.
|
|||
|
|
|||
|
S2. More specific policies must override less specific ones (e.g.
|
|||
|
individual user entry in ACL SHOULD take precedence over group entry)
|
|||
|
for the evaluation of an ACL.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 2]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
S3. Multiple policies of equal specificity SHOULD be combined in
|
|||
|
some easily-understood way (e.g. union or intersection). This is
|
|||
|
best understood by example. Suppose user A belongs to 3 groups and
|
|||
|
those 3 groups are listed on the ACL. Also suppose that the
|
|||
|
permissions for each of those groups are not identical. Each group is
|
|||
|
of equal specificity (e.g. each group is listed on the ACL) and the
|
|||
|
policy for granting user A access (given the example) SHOULD be
|
|||
|
combined in some easily understood way, such as by intersection or
|
|||
|
union. For example, an intersection policy here may yield a more
|
|||
|
limited access for user A than a union policy.
|
|||
|
|
|||
|
S4. Newly created directory entries SHOULD be subject to a secure
|
|||
|
default policy.
|
|||
|
|
|||
|
S5. Access policy SHOULD NOT be expressed in terms of attributes
|
|||
|
which the directory administrator or his organization cannot
|
|||
|
administer (e.g. groups whose membership is administered by another
|
|||
|
organization).
|
|||
|
|
|||
|
S6. Access policy SHOULD NOT be expressed in terms of attributes
|
|||
|
which are easily forged (e.g. IP addresses). There may be valid
|
|||
|
reasons for enabling access based on attributes that are easily
|
|||
|
forged and the behavior/implications of doing that should be
|
|||
|
documented.
|
|||
|
|
|||
|
S7. Humans (including administrators) SHOULD NOT be required to
|
|||
|
manage access policy on the basis of attributes which are not
|
|||
|
"human-readable" (e.g. IP addresses).
|
|||
|
|
|||
|
S8. It MUST be possible to deny a subject the right to invoke a
|
|||
|
directory operation. The system SHOULD NOT require a specific
|
|||
|
implementation of denial (e.g. explicit denial, implicit denial).
|
|||
|
|
|||
|
S9. The system MUST be able (semantically) to support either
|
|||
|
default-grant or default-deny semantics (not simultaneously).
|
|||
|
|
|||
|
S10. The system MUST be able to support either union semantics or
|
|||
|
intersection semantics for aggregate subjects (not simultaneously).
|
|||
|
|
|||
|
S11. Absence of policy SHOULD be interpretable as grant or deny.
|
|||
|
Deny takes precedence over grant among entries of equal specificity.
|
|||
|
|
|||
|
S12. ACL policy resolution MUST NOT depend on the order of entries
|
|||
|
in the ACL.
|
|||
|
|
|||
|
S13. Rights management MUST have no side effects. Granting a
|
|||
|
subject one right to an object MUST NOT implicitly grant the same or
|
|||
|
any other subject a different right to the same object. Granting a
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 3]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
privilege attribute to one subject MUST NOT implicitly grant the same
|
|||
|
privilege attribute to any other subject. Granting a privilege
|
|||
|
attribute to one subject MUST NOT implicitly grant a different
|
|||
|
privilege attribute to the same or any other subject. Definition: An
|
|||
|
ACL's "scope" is defined as the set of directory objects governed by
|
|||
|
the policy it defines; this set of objects is a sub-tree of the
|
|||
|
directory. Changing the policy asserted by an ACL (by changing one
|
|||
|
or more of its entries) MUST NOT implicitly change the policy
|
|||
|
governed by an ACL in a different scope.
|
|||
|
|
|||
|
S14. It SHOULD be possible to apply a single policy to multiple
|
|||
|
directory entries, even if those entries are in different subtrees.
|
|||
|
Applying a single policy to multiple directory entries SHOULD NOT
|
|||
|
require creation and storage of multiple copies of the policy data.
|
|||
|
The system SHOULD NOT require a specific implementation (e.g. nested
|
|||
|
groups, named ACLs) of support for policy sharing.
|
|||
|
|
|||
|
3.3 Usability (Manageability)
|
|||
|
|
|||
|
U1. When in doubt, simpler is better, both at the interface and in
|
|||
|
the implementation.
|
|||
|
|
|||
|
U2. Subjects MUST be drawn from the "natural" LDAP namespace; they
|
|||
|
should be DNs.
|
|||
|
|
|||
|
U3. It SHOULD NOT be possible via ACL administration to lock all
|
|||
|
users, including all administrators, out of the directory.
|
|||
|
|
|||
|
U4. Administrators SHOULD NOT be required to evaluate arbitrary
|
|||
|
Boolean predicates in order to create or understand policy.
|
|||
|
|
|||
|
U5. Administrators SHOULD be able to administer access to
|
|||
|
directories and their attributes based on their sensitivity, without
|
|||
|
having to understand the semantics of individual schema elements and
|
|||
|
their attributes (see U9).
|
|||
|
|
|||
|
U6. Management of access to resources in an entire subtree SHOULD
|
|||
|
require only one ACL (at the subtree root). Note that this makes
|
|||
|
access control based explicitly on attribute types very hard, unless
|
|||
|
you constrain the types of entries in subtrees. For example, another
|
|||
|
attribute is added to an entry. That attribute may fall outside the
|
|||
|
grouping covered by the ACL and hence require additional
|
|||
|
administration where the desired affect is indeed a different ACL.
|
|||
|
Access control information specified in one administrative area MUST
|
|||
|
NOT have jurisdiction in another area. You SHOULD NOT be able to
|
|||
|
control access to the aliased entry in the alias. You SHOULD be able
|
|||
|
to control access to the alias name.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 4]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
U7. Override of subtree policy MUST be supported on a per-
|
|||
|
directory-entry basis.
|
|||
|
|
|||
|
U8. Control of access to individual directory entry attributes (not
|
|||
|
just the whole directory entry) MUST be supported.
|
|||
|
|
|||
|
U9. Administrator MUST be able to coarsen access policy granularity
|
|||
|
by grouping attributes with similar access sensitivities.
|
|||
|
|
|||
|
U10. Control of access on a per-user granularity MUST be supported.
|
|||
|
|
|||
|
U11. Administrator MUST be able to aggregate users (for example, by
|
|||
|
assigning them to groups or roles) to simplify administration.
|
|||
|
|
|||
|
U12. It MUST be possible to review "effective access" of any user,
|
|||
|
group, or role to any entry's attributes. This aids the administrator
|
|||
|
in setting the correct policy.
|
|||
|
|
|||
|
U13. A single administrator SHOULD be able to define policy for the
|
|||
|
entire directory tree. An administrator MUST be able to delegate
|
|||
|
policy administration for specific subtrees to other users. This
|
|||
|
allows for the partitioning of the entire directory tree for policy
|
|||
|
administration, but still allows a single policy to be defined for
|
|||
|
the entire tree independent of partitioning. (Partition in this
|
|||
|
context means scope of administration). An administrator MUST be able
|
|||
|
to create new partitions at any point in the directory tree, and MUST
|
|||
|
be able to merge a superior and subordinate partition. An
|
|||
|
administrator MUST be able to configure whether delegated access
|
|||
|
control information from superior partitions is to be accepted or
|
|||
|
not.
|
|||
|
|
|||
|
U14. It MUST be possible to authorize users to traverse directory
|
|||
|
structure even if they are not authorized to examine or modify some
|
|||
|
traversed entries; it MUST also be possible to prohibit this. The
|
|||
|
tree structure MUST be able to be protected from view if so desired
|
|||
|
by the administrator.
|
|||
|
|
|||
|
U15. It MUST be possible to create publicly readable entries, which
|
|||
|
may be read even by unauthenticated clients.
|
|||
|
|
|||
|
U16. The model for combining multiple access control list entries
|
|||
|
referring to a single individual MUST be easy to understand.
|
|||
|
|
|||
|
U17. Administrator MUST be able to determine where inherited policy
|
|||
|
information comes from, that is, where ACLs are located and which
|
|||
|
ACLs were applied. Where inheritance of ACLs is applied, it must be
|
|||
|
able to be shown how/where that new ACL is derived from.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 5]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
U18. It SHOULD be possible for the administrator to configure the
|
|||
|
access control system to permit users to grant additional access
|
|||
|
control rights for entries which they create.
|
|||
|
|
|||
|
4. Security Considerations
|
|||
|
|
|||
|
Access control is a security consideration. This documents addresses
|
|||
|
the requirements.
|
|||
|
|
|||
|
5. Glossary
|
|||
|
|
|||
|
This glossary is intended to aid the novice not versed in depth about
|
|||
|
access control. It contains a list of terms and their definitions
|
|||
|
that are commonly used in discussing access control [emca].
|
|||
|
|
|||
|
Access control - The prevention of use of a resource by unidentified
|
|||
|
and/or unauthorized entities in any other that an authorized manner.
|
|||
|
|
|||
|
Access control list - A set of control attributes. It is a list,
|
|||
|
associated with a security object or a group of security objects.
|
|||
|
The list contains the names of security subjects and the type of
|
|||
|
access that may be granted.
|
|||
|
|
|||
|
Access control policy - A set of rules, part of a security policy, by
|
|||
|
which human users, or their representatives, are authenticated and by
|
|||
|
which access by these users to applications and other services and
|
|||
|
security objects is granted or denied.
|
|||
|
|
|||
|
Access context - The context, in terms of such variables as location,
|
|||
|
time of day, level of security of the underlying associations, etc.,
|
|||
|
in which an access to a security object is made.
|
|||
|
|
|||
|
Authorization - The granting of access to a security object.
|
|||
|
|
|||
|
Authorization policy - A set of rules, part of an access control
|
|||
|
policy, by which access by security subjects to security objects is
|
|||
|
granted or denied. An authorization policy may be defined in terms
|
|||
|
of access control lists, capabilities, or attributes assigned to
|
|||
|
security subjects, security objects, or both.
|
|||
|
|
|||
|
Control attributes - Attributes, associated with a security object
|
|||
|
that, when matched against the privilege attributes of a security
|
|||
|
subject, are used to grant or deny access to the security object. An
|
|||
|
access control list or list of rights or time of day range are
|
|||
|
examples of control attributes.
|
|||
|
|
|||
|
Credentials - Data that serve to establish the claimed identity of a
|
|||
|
security subject relative to a given security domain.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 6]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
Privilege attributes - Attributes, associated with a security subject
|
|||
|
that, when matched against control attributes of a security object,
|
|||
|
are used to grant or deny access to that subject. Group and role
|
|||
|
memberships are examples of privilege attributes.
|
|||
|
|
|||
|
Security attributes - A general term covering both privilege
|
|||
|
attributes and control attributes. The use of security attributes is
|
|||
|
defined by a security policy.
|
|||
|
|
|||
|
Security object - An entity in a passive role to which a security
|
|||
|
policy applies.
|
|||
|
|
|||
|
Security policy - A general term covering both access control
|
|||
|
policies and authorization policies.
|
|||
|
|
|||
|
Security subject - An entity in an active role to which a security
|
|||
|
policy applies.
|
|||
|
|
|||
|
6. References
|
|||
|
|
|||
|
[ldap] Kille, S., Howes, T. and M. Wahl, "Lightweight Directory
|
|||
|
Access Protocol (v3)", RFC 2251, August 1997.
|
|||
|
|
|||
|
[ecma] ECMA, "Security in Open Systems: A Security Framework"
|
|||
|
ECMA TR/46, July 1988.
|
|||
|
|
|||
|
[bradner97] Bradner, S., "Key Words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 7]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
7. Authors' Addresses
|
|||
|
|
|||
|
Bob Blakley
|
|||
|
Dascom
|
|||
|
5515 Balcones Drive
|
|||
|
Austin, TX 78731
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 512 458 4037 ext 5012
|
|||
|
Fax: +1 512 458 2377
|
|||
|
EMail: blakley@dascom.com
|
|||
|
|
|||
|
|
|||
|
Ellen Stokes
|
|||
|
IBM
|
|||
|
11400 Burnet Rd
|
|||
|
Austin, TX 78758
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 512 838 3725
|
|||
|
Fax: +1 512 838 0156
|
|||
|
EMail: stokes@austin.ibm.com
|
|||
|
|
|||
|
|
|||
|
Debbie Byrne
|
|||
|
IBM
|
|||
|
11400 Burnet Rd
|
|||
|
Austin, TX 78758
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 512 838 1930
|
|||
|
Fax: +1 512 838 8597
|
|||
|
EMail: djbyrne@us.ibm.com
|
|||
|
|
|||
|
|
|||
|
Prasanta Behera
|
|||
|
Netscape
|
|||
|
501 Ellis Street
|
|||
|
Mountain View, CA 94043
|
|||
|
USA
|
|||
|
|
|||
|
Phone: +1 650 937 4948
|
|||
|
Fax: +1 650 528-4164
|
|||
|
EMail: prasanta@netscape.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 8]
|
|||
|
|
|||
|
RFC 2820 Access Control Requirements for LDAP May 2000
|
|||
|
|
|||
|
|
|||
|
8. Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2000). All Rights Reserved.
|
|||
|
|
|||
|
This document and translations of it may be copied and furnished to
|
|||
|
others, and derivative works that comment on or otherwise explain it
|
|||
|
or assist in its implementation may be prepared, copied, published
|
|||
|
and distributed, in whole or in part, without restriction of any
|
|||
|
kind, provided that the above copyright notice and this paragraph are
|
|||
|
included on all such copies and derivative works. However, this
|
|||
|
document itself may not be modified in any way, such as by removing
|
|||
|
the copyright notice or references to the Internet Society or other
|
|||
|
Internet organizations, except as needed for the purpose of
|
|||
|
developing Internet standards in which case the procedures for
|
|||
|
copyrights defined in the Internet Standards process must be
|
|||
|
followed, or as required to translate it into languages other than
|
|||
|
English.
|
|||
|
|
|||
|
The limited permissions granted above are perpetual and will not be
|
|||
|
revoked by the Internet Society or its successors or assigns.
|
|||
|
|
|||
|
This document and the information contained herein is provided on an
|
|||
|
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|||
|
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|||
|
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|||
|
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|||
|
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Stokes, et al. Informational [Page 9]
|
|||
|
|