mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-24 13:24:56 +08:00
3420 lines
140 KiB
Plaintext
3420 lines
140 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group J. Strassner
|
|||
|
Request for Comments: 3703 Intelliden Corporation
|
|||
|
Category: Standards Track B. Moore
|
|||
|
IBM Corporation
|
|||
|
R. Moats
|
|||
|
Lemur Networks, Inc.
|
|||
|
E. Ellesson
|
|||
|
February 2004
|
|||
|
|
|||
|
|
|||
|
Policy Core Lightweight Directory Access Protocol (LDAP) Schema
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
This document specifies an Internet standards track protocol for the
|
|||
|
Internet community, and requests discussion and suggestions for
|
|||
|
improvements. Please refer to the current edition of the "Internet
|
|||
|
Official Protocol Standards" (STD 1) for the standardization state
|
|||
|
and status of this protocol. Distribution of this memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document defines a mapping of the Policy Core Information Model
|
|||
|
to a form that can be implemented in a directory that uses
|
|||
|
Lightweight Directory Access Protocol (LDAP) as its access protocol.
|
|||
|
This model defines two hierarchies of object classes: structural
|
|||
|
classes representing information for representing and controlling
|
|||
|
policy data as specified in RFC 3060, and relationship classes that
|
|||
|
indicate how instances of the structural classes are related to each
|
|||
|
other. Classes are also added to the LDAP schema to improve the
|
|||
|
performance of a client's interactions with an LDAP server when the
|
|||
|
client is retrieving large amounts of policy-related information.
|
|||
|
These classes exist only to optimize LDAP retrievals: there are no
|
|||
|
classes in the information model that correspond to them.
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Introduction ................................................. 2
|
|||
|
2. The Policy Core Information Model ............................ 4
|
|||
|
3. Inheritance Hierarchy for the PCLS ........................... 5
|
|||
|
4. General Discussion of Mapping the Information Model to LDAP .. 6
|
|||
|
4.1. Summary of Class and Association Mappings .............. 7
|
|||
|
4.2. Usage of DIT Content and Structure Rules and Name Forms. 9
|
|||
|
4.3. Naming Attributes in the PCLS .......................... 10
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 1]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
4.4. Rule-Specific and Reusable Conditions and Actions ...... 11
|
|||
|
4.5. Location and Retrieval of Policy Objects in the
|
|||
|
Directory .............................................. 16
|
|||
|
4.5.1. Aliases and Other DIT-Optimization Techniques .. 19
|
|||
|
5. Class Definitions ............................................ 19
|
|||
|
5.1. The Abstract Class "pcimPolicy" ........................ 21
|
|||
|
5.2. The Three Policy Group Classes ......................... 22
|
|||
|
5.3. The Three Policy Rule Classes .......................... 23
|
|||
|
5.4. The Class pcimRuleConditionAssociation ................. 30
|
|||
|
5.5. The Class pcimRuleValidityAssociation .................. 32
|
|||
|
5.6. The Class pcimRuleActionAssociation .................... 34
|
|||
|
5.7. The Auxiliary Class pcimConditionAuxClass .............. 36
|
|||
|
5.8. The Auxiliary Class pcimTPCAuxClass .................... 36
|
|||
|
5.9. The Auxiliary Class pcimConditionVendorAuxClass ........ 40
|
|||
|
5.10. The Auxiliary Class pcimActionAuxClass ................. 41
|
|||
|
5.11. The Auxiliary Class pcimActionVendorAuxClass ........... 42
|
|||
|
5.12. The Class pcimPolicyInstance ........................... 43
|
|||
|
5.13. The Auxiliary Class pcimElementAuxClass ................ 44
|
|||
|
5.14. The Three Policy Repository Classes .................... 45
|
|||
|
5.15. The Auxiliary Class pcimSubtreesPtrAuxClass ............ 46
|
|||
|
5.16. The Auxiliary Class pcimGroupContainmentAuxClass ....... 48
|
|||
|
5.17. The Auxiliary Class pcimRuleContainmentAuxClass ........ 49
|
|||
|
6. Extending the Classes Defined in This Document ............... 50
|
|||
|
6.1. Subclassing pcimConditionAuxClass and pcimActionAuxClass 50
|
|||
|
6.2. Using the Vendor Policy Attributes ..................... 50
|
|||
|
6.3. Using Time Validity Periods ............................ 51
|
|||
|
7. Security Considerations ...................................... 51
|
|||
|
8. IANA Considerations .......................................... 53
|
|||
|
8.1. Object Identifiers ..................................... 53
|
|||
|
8.2. Object Identifier Descriptors .......................... 53
|
|||
|
9. Acknowledgments .............................................. 56
|
|||
|
10. Appendix: Constructing the Value of orderedCIMKeys .......... 57
|
|||
|
11. References ................................................... 58
|
|||
|
11.1. Normative References ................................... 58
|
|||
|
11.2. Informative References ................................. 59
|
|||
|
12. Authors' Addresses ........................................... 60
|
|||
|
13. Full Copyright Statement ..................................... 61
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
This document takes as its starting point the object-oriented
|
|||
|
information model for representing information for representing and
|
|||
|
controlling policy data as specified in [1]. Lightweight Directory
|
|||
|
Access Protocol (LDAP) [2] implementers, please note that the use of
|
|||
|
the term "policy" in this document does not refer to the use of the
|
|||
|
term "policy" as defined in X.501 [4]. Rather, the use of the term
|
|||
|
"policy" throughout this document is defined as follows:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 2]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
Policy is defined as a set of rules to administer, manage, and
|
|||
|
control access to network resources.
|
|||
|
|
|||
|
This work is currently under joint development in the IETF's Policy
|
|||
|
Framework working group and in the Policy working group of the
|
|||
|
Distributed Management Task Force (DMTF). This model defines two
|
|||
|
hierarchies of object classes: structural classes representing policy
|
|||
|
information and control of policies, and relationship classes that
|
|||
|
indicate how instances of the structural classes are related to each
|
|||
|
other. In general, both of these class hierarchies will need to be
|
|||
|
mapped to a particular data store.
|
|||
|
|
|||
|
This document defines the mapping of these information model classes
|
|||
|
to a directory that uses LDAP as its access protocol. Two types of
|
|||
|
mappings are involved:
|
|||
|
|
|||
|
- For the structural classes in the information model, the
|
|||
|
mapping is basically one-for-one: information model classes map
|
|||
|
to LDAP classes, information model properties map to LDAP
|
|||
|
attributes.
|
|||
|
|
|||
|
- For the relationship classes in the information model,
|
|||
|
different mappings are possible. In this document, the Policy
|
|||
|
Core Information Model's (PCIM's) relationship classes and
|
|||
|
their properties are mapped in three ways: to LDAP auxiliary
|
|||
|
classes, to attributes representing distinguished name (DN)
|
|||
|
references, and to superior-subordinate relationships in the
|
|||
|
Directory Information Tree (DIT).
|
|||
|
|
|||
|
Implementations that use an LDAP directory as their policy repository
|
|||
|
and want to implement policy information according to RFC 3060 [1]
|
|||
|
SHALL use the LDAP schema defined in this document, or a schema that
|
|||
|
subclasses from the schema defined in this document. The use of the
|
|||
|
information model defined in reference [1] as the starting point
|
|||
|
enables the inheritance and the relationship class hierarchies to be
|
|||
|
extensible, such that other types of policy repositories, such as
|
|||
|
relational databases, can also use this information.
|
|||
|
|
|||
|
This document fits into the overall framework for representing,
|
|||
|
deploying, and managing policies being developed by the Policy
|
|||
|
Framework Working Group.
|
|||
|
|
|||
|
The LDAP schema described in this document uses the prefix "pcim" to
|
|||
|
identify its classes and attributes. It consists of ten very general
|
|||
|
classes: pcimPolicy (an abstract class), three policy group classes
|
|||
|
(pcimGroup, pcimGroupAuxClass, and pcimGroupInstance), three policy
|
|||
|
rule classes (pcimRule, pcimRuleAuxClass, and pcimRuleInstance), and
|
|||
|
three special auxiliary classes (pcimConditionAuxClass,
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 3]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
pcimTPCAuxClass, and pcimActionAuxClass). (Note that the
|
|||
|
PolicyTimePeriodCondition auxiliary class defined in [1] would
|
|||
|
normally have been named pcimTimePeriodConditionAuxClass, but this
|
|||
|
name is too long for some directories. Therefore, we have
|
|||
|
abbreviated this name to be pcimTPCAuxClass).
|
|||
|
|
|||
|
The mapping for the PCIM classes pcimGroup and pcimRule is designed
|
|||
|
to be as flexible as possible. Three classes are defined for these
|
|||
|
two PCIM classes. First, an abstract superclass is defined that
|
|||
|
contains all required properties of each PCIM class. Then, both an
|
|||
|
auxiliary class as well as a structural class are derived from the
|
|||
|
abstract superclass. This provides maximum flexibility for the
|
|||
|
developer.
|
|||
|
|
|||
|
The schema also contains two less general classes:
|
|||
|
pcimConditionVendorAuxClass and pcimActionVendorAuxClass. To achieve
|
|||
|
the mapping of the information model's relationships, the schema also
|
|||
|
contains two auxiliary classes: pcimGroupContainmentAuxClass and
|
|||
|
pcimRuleContainmentAuxClass. Capturing the distinction between
|
|||
|
rule-specific and reusable policy conditions and policy actions
|
|||
|
introduces seven other classes: pcimRuleConditionAssociation,
|
|||
|
pcimRuleValidityAssociation, pcimRuleActionAssociation,
|
|||
|
pcimPolicyInstance, and three policy repository classes
|
|||
|
(pcimRepository, pcimRepositoryAuxClass, and pcimRepositoryInstance).
|
|||
|
Finally, the schema includes two classes (pcimSubtreesPtrAuxClass and
|
|||
|
pcimElementAuxClass) for optimizing LDAP retrievals. In all, the
|
|||
|
schema contains 23 classes.
|
|||
|
|
|||
|
Within the context of this document, the term "PCLS" (Policy Core
|
|||
|
LDAP Schema) is used to refer to the LDAP class definitions that this
|
|||
|
document contains. The term "PCIM" refers to classes defined in [1].
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in RFC 2119 [10].
|
|||
|
|
|||
|
2. The Policy Core Information Model
|
|||
|
|
|||
|
This document contains an LDAP schema representing the classes
|
|||
|
defined in the companion document "Policy Core Information
|
|||
|
Model -- Version 1 Specification" [1]. Other documents may
|
|||
|
subsequently be produced, with mappings of this same PCIM to other
|
|||
|
storage technologies. Since the detailed semantics of the PCIM
|
|||
|
classes appear only in [1], that document is a prerequisite for
|
|||
|
reading and understanding this document.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 4]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
3. Inheritance Hierarchy for the PCLS
|
|||
|
|
|||
|
The following diagram illustrates the class hierarchy for the LDAP
|
|||
|
Classes defined in this document:
|
|||
|
|
|||
|
top
|
|||
|
|
|
|||
|
+--dlm1ManagedElement (abstract)
|
|||
|
| |
|
|||
|
| +--pcimPolicy (abstract)
|
|||
|
| | |
|
|||
|
| | +--pcimGroup (abstract)
|
|||
|
| | | |
|
|||
|
| | | +--pcimGroupAuxClass (auxiliary)
|
|||
|
| | | |
|
|||
|
| | | +--pcimGroupInstance (structural)
|
|||
|
| | |
|
|||
|
| | +--pcimRule (abstract)
|
|||
|
| | | |
|
|||
|
| | | +--pcimRuleAuxClass (auxiliary)
|
|||
|
| | | |
|
|||
|
| | | +--pcimRuleInstance (structural)
|
|||
|
| | |
|
|||
|
| | +--pcimRuleConditionAssociation (structural)
|
|||
|
| | |
|
|||
|
| | +--pcimRuleValidityAssociation (structural)
|
|||
|
| | |
|
|||
|
| | +--pcimRuleActionAssociation (structural)
|
|||
|
| | |
|
|||
|
| | +--pcimPolicyInstance (structural)
|
|||
|
| | |
|
|||
|
| | +--pcimElementAuxClass (auxiliary)
|
|||
|
| |
|
|||
|
| +--dlm1ManagedSystemElement (abstract)
|
|||
|
| |
|
|||
|
| +--dlm1LogicalElement (abstract)
|
|||
|
| |
|
|||
|
| +--dlm1System (abstract)
|
|||
|
| |
|
|||
|
| +--dlm1AdminDomain (abstract)
|
|||
|
| |
|
|||
|
| +--pcimRepository (abstract)
|
|||
|
| |
|
|||
|
| +--pcimRepositoryAuxClass (auxiliary)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 5]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
top
|
|||
|
| |
|
|||
|
| +--pcimRepositoryInstance
|
|||
|
| (structural)
|
|||
|
|
|
|||
|
+--pcimConditionAuxClass (auxiliary)
|
|||
|
| |
|
|||
|
| +---pcimTPCAuxClass (auxiliary)
|
|||
|
| |
|
|||
|
| +---pcimConditionVendorAuxClass (auxiliary)
|
|||
|
|
|
|||
|
+--pcimActionAuxClass (auxiliary)
|
|||
|
| |
|
|||
|
| +---pcimActionVendorAuxClass (auxiliary)
|
|||
|
|
|
|||
|
+--pcimSubtreesPtrAuxClass (auxiliary)
|
|||
|
|
|
|||
|
+--pcimGroupContainmentAuxClass (auxiliary)
|
|||
|
|
|
|||
|
+--pcimRuleContainmentAuxClass (auxiliary)
|
|||
|
|
|||
|
Figure 1. LDAP Class Inheritance Hierarchy for the PCLS
|
|||
|
|
|||
|
4. General Discussion of Mapping the Information Model to LDAP
|
|||
|
|
|||
|
The classes described in Section 5 below contain certain
|
|||
|
optimizations for a directory that uses LDAP as its access protocol.
|
|||
|
One example of this is the use of auxiliary classes to represent some
|
|||
|
of the associations defined in the information model. Other data
|
|||
|
stores might need to implement these associations differently. A
|
|||
|
second example is the introduction of classes specifically designed
|
|||
|
to optimize retrieval of large amounts of policy-related data from a
|
|||
|
directory. This section discusses some general topics related to the
|
|||
|
mapping from the information model to LDAP.
|
|||
|
|
|||
|
The remainder of this section will discuss the following topics.
|
|||
|
Section 4.1 will discuss the strategy used in mapping the classes and
|
|||
|
associations defined in [1] to a form that can be represented in a
|
|||
|
directory that uses LDAP as its access protocol. Section 4.2
|
|||
|
discusses DIT content and structure rules, as well as name forms.
|
|||
|
Section 4.3 describes the strategy used in defining naming attributes
|
|||
|
for the schema described in Section 5 of this document. Section 4.4
|
|||
|
defines the strategy recommended for locating and retrieving
|
|||
|
PCIM-derived objects in the directory.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 6]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
4.1. Summary of Class and Association Mappings
|
|||
|
|
|||
|
Fifteen of the classes in the PCLS come directly from the nine
|
|||
|
corresponding classes in the information model. Note that names of
|
|||
|
classes begin with an upper case character in the information model
|
|||
|
(although for CIM in particular, case is not significant in class and
|
|||
|
property names), but with a lower case character in LDAP. This is
|
|||
|
because although LDAP doesn't care, X.500 doesn't allow class names
|
|||
|
to begin with an uppercase character. Note also that the prefix
|
|||
|
"pcim" is used to identify these LDAP classes.
|
|||
|
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| Information Model | LDAP Class(es) |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| Policy | pcimPolicy |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| PolicyGroup | pcimGroup |
|
|||
|
| | pcimGroupAuxClass |
|
|||
|
| | pcimGroupInstance |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| PolicyRule | pcimRule |
|
|||
|
| | pcimRuleAuxClass |
|
|||
|
| | pcimRuleInstance |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| PolicyCondition | pcimConditionAuxClass |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| PolicyAction | pcimActionAuxClass |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| VendorPolicyCondition | pcimConditionVendorAuxClass |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| VendorPolicyAction | pcimActionVendorAuxClass |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| PolicyTimePeriodCondition | pcimTPCAuxClass |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
| PolicyRepository | pcimRepository |
|
|||
|
| | pcimRepositoryAuxClass |
|
|||
|
| | pcimRepositoryInstance |
|
|||
|
+---------------------------+-------------------------------+
|
|||
|
|
|||
|
Figure 2. Mapping of Information Model Classes to LDAP
|
|||
|
|
|||
|
The associations in the information model map to attributes that
|
|||
|
reference DNs (Distinguished Names) or to Directory Information Tree
|
|||
|
(DIT) containment (i.e., superior-subordinate relationships) in LDAP.
|
|||
|
Two of the attributes that reference DNs appear in auxiliary classes,
|
|||
|
which allow each of them to represent several relationships from the
|
|||
|
information model.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 7]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
+----------------------------------+----------------------------------+
|
|||
|
| Information Model Association | LDAP Attribute / Class |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyGroupInPolicyGroup | pcimGroupsAuxContainedSet in |
|
|||
|
| | pcimGroupContainmentAuxClass |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyRuleInPolicyGroup | pcimRulesAuxContainedSet in |
|
|||
|
| | pcimRuleContainmentAuxClass |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyConditionInPolicyRule | DIT containment or |
|
|||
|
| | pcimRuleConditionList in |
|
|||
|
| | pcimRule or |
|
|||
|
| | pcimConditionDN in |
|
|||
|
| | pcimRuleConditionAssociation |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyActionInPolicyRule | DIT containment or |
|
|||
|
| | pcimRuleActionList in |
|
|||
|
| | pcimRule or |
|
|||
|
| | pcimActionDN in |
|
|||
|
| | pcimRuleActionAssociation |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyRuleValidityPeriod | pcimRuleValidityPeriodList |
|
|||
|
| | in pcimRule or (if reusable) |
|
|||
|
| | referenced through the |
|
|||
|
| | pcimTimePeriodConditionDN in |
|
|||
|
| | pcimRuleValidityAssociation |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyConditionInPolicyRepository | DIT containment |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyActionInPolicyRepository | DIT containment |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
| PolicyRepositoryInPolicyRepository| DIT containment |
|
|||
|
+-----------------------------------+---------------------------------+
|
|||
|
|
|||
|
Figure 3. Mapping of Information Model Associations to LDAP
|
|||
|
|
|||
|
Of the remaining classes in the PCLS, two (pcimElementAuxClass and
|
|||
|
pcimSubtreesPtrAuxClass) are included to make navigation through the
|
|||
|
DIT and retrieval of the entries found there more efficient. This
|
|||
|
topic is discussed below in Section 4.5.
|
|||
|
|
|||
|
The remaining four classes in the PCLS, pcimRuleConditionAssociation,
|
|||
|
pcimRuleValidityAssociation, pcimRuleActionAssociation, and
|
|||
|
pcimPolicyInstance, are all involved with the representation of
|
|||
|
policy conditions and policy actions in an LDAP directory. This
|
|||
|
topic is discussed below in Section 4.4.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 8]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
4.2. Usage of DIT Content and Structure Rules and Name Forms
|
|||
|
|
|||
|
There are three powerful tools that can be used to help define
|
|||
|
schemata. The first, DIT content rules, is a way of defining the
|
|||
|
content of an entry for a structural object class. It can be used to
|
|||
|
specify the following characteristics of the entry:
|
|||
|
|
|||
|
- additional mandatory attributes that the entries are required
|
|||
|
to contain
|
|||
|
- additional optional attributes the entries are allowed to
|
|||
|
contain
|
|||
|
- the set of additional auxiliary object classes that these
|
|||
|
entries are allowed to be members of
|
|||
|
- any optional attributes from the structural and auxiliary
|
|||
|
object class definitions that the entries are required to
|
|||
|
preclude
|
|||
|
|
|||
|
DIT content rules are NOT mandatory for any structural object class.
|
|||
|
|
|||
|
A DIT structure rule, together with a name form, controls the
|
|||
|
placement and naming of an entry within the scope of a subschema.
|
|||
|
Name forms define which attribute type(s) are required and are
|
|||
|
allowed to be used in forming the Relative Distinguished Names (RDNs)
|
|||
|
of entries. DIT structure rules specify which entries are allowed to
|
|||
|
be superior to other entries, and hence control the way that RDNs are
|
|||
|
added together to make DNs.
|
|||
|
|
|||
|
A name form specifies the following:
|
|||
|
|
|||
|
- the structural object class of the entries named by this name
|
|||
|
form
|
|||
|
- attributes that are required to be used in forming the RDNs of
|
|||
|
these entries
|
|||
|
- attributes that are allowed to be used in forming the RDNs of
|
|||
|
these entries
|
|||
|
- an object identifier to uniquely identify this name form
|
|||
|
|
|||
|
Note that name forms can only be specified for structural object
|
|||
|
classes. However, every entry in the DIT must have a name form
|
|||
|
controlling it.
|
|||
|
|
|||
|
Unfortunately, current LDAP servers vary quite a lot in their support
|
|||
|
of these features. There are also three crucial implementation
|
|||
|
points that must be followed. First, X.500 use of structure rules
|
|||
|
requires that a structural object class with no superior structure
|
|||
|
rule be a subschema administrative point. This is exactly NOT what
|
|||
|
we want for policy information. Second, when an auxiliary class is
|
|||
|
subclassed, if a content rule exists for the structural class that
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 9]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
the auxiliary class refers to, then that content rule needs to be
|
|||
|
augmented. Finally, most LDAP servers unfortunately do not support
|
|||
|
inheritance of structure and content rules.
|
|||
|
|
|||
|
Given these concerns, DIT structure and content rules have been
|
|||
|
removed from the PCLS. This is because, if included, they would be
|
|||
|
normative references and would require OIDs. However, we don't want
|
|||
|
to lose the insight gained in building the structure and content
|
|||
|
rules of the previous version of the schema. Therefore, we describe
|
|||
|
where such rules could be used in this schema, what they would
|
|||
|
control, and what their effect would be.
|
|||
|
|
|||
|
4.3. Naming Attributes in the PCLS
|
|||
|
|
|||
|
Instances in a directory are identified by distinguished names (DNs),
|
|||
|
which provide the same type of hierarchical organization that a file
|
|||
|
system provides in a computer system. A distinguished name is a
|
|||
|
sequence of RDNs. An RDN provides a unique identifier for an
|
|||
|
instance within the context of its immediate superior, in the same
|
|||
|
way that a filename provides a unique identifier for a file within
|
|||
|
the context of the folder in which it resides.
|
|||
|
|
|||
|
To preserve maximum naming flexibility for policy administrators,
|
|||
|
three optional (i.e., "MAY") naming attributes have been defined.
|
|||
|
They are:
|
|||
|
|
|||
|
- Each of the structural classes defined in this schema has its
|
|||
|
own unique ("MAY") naming attribute. Since the naming
|
|||
|
attributes are different, a policy administrator can, by using
|
|||
|
these attributes, guarantee that there will be no name
|
|||
|
collisions between instances of different classes, even if the
|
|||
|
same value is assigned to the instances' respective naming
|
|||
|
attributes.
|
|||
|
|
|||
|
- The LDAP attribute cn (corresponding to X.500's commonName) is
|
|||
|
included as a MAY attribute in the abstract class pcimPolicy,
|
|||
|
and thus by inheritance in all of its subclasses. In X.500,
|
|||
|
commonName typically functions as an RDN attribute, for naming
|
|||
|
instances of many classes (e.g., X.500's person class).
|
|||
|
|
|||
|
- A special attribute is provided for implementations that expect
|
|||
|
to map between native CIM and LDAP representations of policy
|
|||
|
information. This attribute, called orderedCimKeys, is defined
|
|||
|
in the class dlm1ManagedElement [6]. The value of this
|
|||
|
attribute is derived algorithmically from values that are
|
|||
|
already present in a CIM policy instance. The normative
|
|||
|
reference for this algorithm is contained in [6]. See the
|
|||
|
appendix of this document for a description of the algorithm.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 10]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
Since any of these naming attributes MAY be used for naming an
|
|||
|
instance of a PCLS class, implementations MUST be able to accommodate
|
|||
|
instances named in any of these ways.
|
|||
|
|
|||
|
Note that it is recommended that two or more of these attributes
|
|||
|
SHOULD NOT be used together to form a multi-part RDN, since support
|
|||
|
for multi-part RDNs is limited among existing directory
|
|||
|
implementations.
|
|||
|
|
|||
|
4.4. Rule-Specific and Reusable Conditions and Actions
|
|||
|
|
|||
|
The PCIM [1] distinguishes between two types of policy conditions and
|
|||
|
policy actions: those associated with a single policy rule, and
|
|||
|
those that are reusable, in the sense that they may be associated
|
|||
|
with more than one policy rule. While there is no inherent
|
|||
|
functional difference between a rule-specific condition or action and
|
|||
|
a reusable one, there is both a usage, as well as, an implementation
|
|||
|
difference between them.
|
|||
|
|
|||
|
Defining a condition or action as reusable vs. rule-specific reflects
|
|||
|
a conscious decision on the part of the administrator in defining how
|
|||
|
they are used. In addition, there are variations that reflect
|
|||
|
implementing rule-specific vs. reusable policy conditions and actions
|
|||
|
and how they are treated in a policy repository. The major
|
|||
|
implementation differences between a rule-specific and a reusable
|
|||
|
condition or action are delineated below:
|
|||
|
|
|||
|
1. It is natural for a rule-specific condition or action to be
|
|||
|
removed from the policy repository at the same time the rule is.
|
|||
|
It is just the opposite for reusable conditions and actions.
|
|||
|
This is because the condition or action is conceptually attached
|
|||
|
to the rule in the rule-specific case, whereas it is referenced
|
|||
|
(e.g., pointed at) in the reusable case. The persistence of a
|
|||
|
pcimRepository instance is independent of the persistence of a
|
|||
|
pcimRule instance.
|
|||
|
2. Access permissions for a rule-specific condition or action are
|
|||
|
usually identical to those for the rule itself. On the other
|
|||
|
hand, access permissions of reusable conditions and actions must
|
|||
|
be expressible without reference to a policy rule.
|
|||
|
3. Rule-specific conditions and actions require fewer accesses,
|
|||
|
because the conditions and actions are "attached" to the rule.
|
|||
|
In contrast, reusable conditions and actions require more
|
|||
|
accesses, because each condition or action that is reusable
|
|||
|
requires a separate access.
|
|||
|
4. Rule-specific conditions and actions are designed for use by a
|
|||
|
single rule. As the number of rules that use the same
|
|||
|
rule-specific condition increase, subtle problems are created
|
|||
|
(the most obvious being how to keep the rule-specific conditions
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 11]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
and actions updated to reflect the same value). Reusable
|
|||
|
conditions and actions lend themselves for use by multiple
|
|||
|
independent rules.
|
|||
|
5. Reusable conditions and actions offer an optimization when
|
|||
|
multiple rules are using the same condition or action. This is
|
|||
|
because the reusable condition or action only needs be updated
|
|||
|
once, and by virtue of DN reference, the policy rules will be
|
|||
|
automatically updated.
|
|||
|
|
|||
|
The preceding paragraph does not contain an exhaustive list of the
|
|||
|
ways in which reusable and rule-specific conditions should be treated
|
|||
|
differently. Its purpose is merely to justify making a semantic
|
|||
|
distinction between rule-specific and reusable, and then reflecting
|
|||
|
this distinction in the policy repository itself.
|
|||
|
|
|||
|
When the policy repository is realized in an LDAP-accessible
|
|||
|
directory, the distinction between rule-specific and reusable
|
|||
|
conditions and actions is realized via placement of auxiliary classes
|
|||
|
and via DIT containment. Figure 4 illustrates a policy rule Rule1
|
|||
|
with one rule-specific condition CA and one rule-specific action AB.
|
|||
|
|
|||
|
+-----+
|
|||
|
|Rule1|
|
|||
|
| |
|
|||
|
+-----|- -|-----+
|
|||
|
| +-----+ |
|
|||
|
| * * |
|
|||
|
| * * |
|
|||
|
| **** **** |
|
|||
|
| * * |
|
|||
|
v * * v
|
|||
|
+--------+ +--------+
|
|||
|
| CA+ca | | AB+ab |
|
|||
|
+--------+ +--------+
|
|||
|
|
|||
|
|
|||
|
+------------------------------+
|
|||
|
|LEGEND: |
|
|||
|
| ***** DIT containment |
|
|||
|
| + auxiliary attachment |
|
|||
|
| ----> DN reference |
|
|||
|
+------------------------------+
|
|||
|
|
|||
|
Figure 4 Rule-Specific Policy Conditions and Actions
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 12]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
Because the condition and action are specific to Rule1, the auxiliary
|
|||
|
classes ca and ab that represent them are attached, respectively, to
|
|||
|
the structural classes CA and AB. These structural classes represent
|
|||
|
not the condition ca and action ab themselves, but rather the
|
|||
|
associations between Rule1 and ca, and between Rule1 and ab.
|
|||
|
|
|||
|
As Figure 4 illustrates, Rule1 contains DN references to the
|
|||
|
structural classes CA and AB that appear below it in the DIT. At
|
|||
|
first glance it might appear that these DN references are
|
|||
|
unnecessary, since a subtree search below Rule1 would find all of the
|
|||
|
structural classes representing the associations between Rule1 and
|
|||
|
its conditions and actions. Relying only on a subtree search,
|
|||
|
though, runs the risk of missing conditions or actions that should
|
|||
|
have appeared in the subtree, but for some reason did not, or of
|
|||
|
finding conditions or actions that were inadvertently placed in the
|
|||
|
subtree, or that should have been removed from the subtree, but for
|
|||
|
some reason were not. Implementation experience has suggested that
|
|||
|
many (but not all) of these risks are eliminated.
|
|||
|
|
|||
|
However, it must be noted that this comes at a price. The use of DN
|
|||
|
references, as shown in Figure 4 above, thwarts inheritance of access
|
|||
|
control information as well as existence dependency information. It
|
|||
|
also is subject to referential integrity considerations. Therefore,
|
|||
|
it is being included as an option for the designer.
|
|||
|
|
|||
|
Figure 5 illustrates a second way of representing rule-specific
|
|||
|
conditions and actions in an LDAP-accessible directory: attachment of
|
|||
|
the auxiliary classes directly to the instance representing the
|
|||
|
policy rule. When all of the conditions and actions are attached to
|
|||
|
a policy rule in this way, the rule is termed a "simple" policy rule.
|
|||
|
When conditions and actions are not attached directly to a policy
|
|||
|
rule, the rule is termed a "complex" policy rule.
|
|||
|
|
|||
|
+-----------+
|
|||
|
|Rule1+ca+ab|
|
|||
|
| |
|
|||
|
+-----------+
|
|||
|
|
|||
|
+------------------------------+
|
|||
|
|LEGEND: |
|
|||
|
| + auxiliary attachment |
|
|||
|
+------------------------------+
|
|||
|
|
|||
|
Figure 5. A Simple Policy Rule
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 13]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The simple/complex distinction for a policy rule is not all or
|
|||
|
nothing. A policy rule may have its conditions attached to itself
|
|||
|
and its actions attached to other entries, or it may have its actions
|
|||
|
attached to itself and its conditions attached to other entries.
|
|||
|
However, it SHALL NOT have either its conditions or its actions
|
|||
|
attached both to itself and to other entries, with one exception: a
|
|||
|
policy rule may reference its validity periods with the
|
|||
|
pcimRuleValidityPeriodList attribute, but have its other conditions
|
|||
|
attached to itself.
|
|||
|
|
|||
|
The tradeoffs between simple and complex policy rules are between the
|
|||
|
efficiency of simple rules and the flexibility and greater potential
|
|||
|
for reuse of complex rules. With a simple policy rule, the semantic
|
|||
|
options are limited:
|
|||
|
|
|||
|
- All conditions are ANDed together. This combination can be
|
|||
|
represented in two ways in the Disjunctive Normal Form (DNF)/
|
|||
|
Conjunctive Normal Form (CNF) (please see [1] for definitions of
|
|||
|
these terms) expressions characteristic of policy conditions: as
|
|||
|
a DNF expression with a single AND group, or as a CNF expression
|
|||
|
with multiple single-condition OR groups. The first of these is
|
|||
|
arbitrarily chosen as the representation for the ANDed conditions
|
|||
|
in a simple policy rule.
|
|||
|
|
|||
|
- If multiple actions are included, no order can be specified for
|
|||
|
them.
|
|||
|
|
|||
|
If a policy administrator needs to combine conditions in some other
|
|||
|
way, or if there is a set of actions that must be ordered, then the
|
|||
|
only option is to use a complex policy rule.
|
|||
|
|
|||
|
Finally, Figure 6 illustrates the same policy rule Rule1, but this
|
|||
|
time its condition and action are reusable. The association classes
|
|||
|
CA and AB are still present, and they are still DIT contained under
|
|||
|
Rule1. But rather than having the auxiliary classes ca and ab
|
|||
|
attached directly to the association classes CA and AB, each now
|
|||
|
contains DN references to other entries to which these auxiliary
|
|||
|
classes are attached. These other entries, CIA and AIB, are DIT
|
|||
|
contained under RepositoryX, which is an instance of the class
|
|||
|
pcimRepository. Because they are named under an instance of
|
|||
|
pcimRepository, ca and ab are clearly identified as reusable.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 14]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
+-----+ +-------------+
|
|||
|
|Rule1| | RepositoryX |
|
|||
|
+-|- -|--+ | |
|
|||
|
| +-----+ | +-------------+
|
|||
|
| * * | * *
|
|||
|
| * * | * *
|
|||
|
| *** **** | * *
|
|||
|
| * * v * *
|
|||
|
| * +---+ * *
|
|||
|
| * |AB | +------+ *
|
|||
|
v * | -|-------->|AIB+ab| *
|
|||
|
+---+ +---+ +------+ *
|
|||
|
|CA | +------+
|
|||
|
| -|------------------------>|CIA+ca|
|
|||
|
+---+ +------+
|
|||
|
|
|||
|
+------------------------------+
|
|||
|
|LEGEND: |
|
|||
|
| ***** DIT containment |
|
|||
|
| + auxiliary attachment |
|
|||
|
| ----> DN reference |
|
|||
|
+------------------------------+
|
|||
|
|
|||
|
Figure 6. Reusable Policy Conditions and Actions
|
|||
|
|
|||
|
The classes pcimConditionAuxClass and pcimActionAuxClass do not
|
|||
|
themselves represent actual conditions and actions: these are
|
|||
|
introduced in their subclasses. What pcimConditionAuxClass and
|
|||
|
pcimActionAuxClass do introduce are the semantics of being a policy
|
|||
|
condition or a policy action. These are the semantics that all the
|
|||
|
subclasses of pcimConditionAuxClass and pcimActionAuxClass inherit.
|
|||
|
Among these semantics are those of representing either a
|
|||
|
rule-specific or a reusable policy condition or policy action.
|
|||
|
|
|||
|
In order to preserve the ability to represent a rule-specific or a
|
|||
|
reusable condition or action, as well as a simple policy rule, all
|
|||
|
the subclasses of pcimConditionAuxClass and pcimActionAuxClass MUST
|
|||
|
also be auxiliary classes.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 15]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
4.5. Location and Retrieval of Policy Objects in the Directory
|
|||
|
|
|||
|
When a Policy Decision Point (PDP) goes to an LDAP directory to
|
|||
|
retrieve the policy object instances relevant to the Policy
|
|||
|
Enforcement Points (PEPs) it serves, it is faced with two related
|
|||
|
problems:
|
|||
|
|
|||
|
- How does it locate and retrieve the directory entries that apply
|
|||
|
to its PEPs? These entries may include instances of the PCLS
|
|||
|
classes, instances of domain-specific subclasses of these
|
|||
|
classes, and instances of other classes modeling such resources
|
|||
|
as user groups, interfaces, and address ranges.
|
|||
|
|
|||
|
- How does it retrieve the directory entries it needs in an
|
|||
|
efficient manner, so that retrieval of policy information from
|
|||
|
the directory does not become a roadblock to scalability? There
|
|||
|
are two facets to this efficiency: retrieving only the relevant
|
|||
|
directory entries, and retrieving these entries using as few LDAP
|
|||
|
calls as possible.
|
|||
|
|
|||
|
The placement of objects in the Directory Information Tree (DIT)
|
|||
|
involves considerations other than how the policy-related objects
|
|||
|
will be retrieved by a PDP. Consequently, all that the PCLS can do
|
|||
|
is to provide a "toolkit" of classes to assist the policy
|
|||
|
administrator as the DIT is being designed and built. A PDP SHOULD
|
|||
|
be able to take advantage of any tools that the policy administrator
|
|||
|
is able to build into the DIT, but it MUST be able to use a less
|
|||
|
efficient means of retrieval if that is all it has available to it.
|
|||
|
|
|||
|
The basic idea behind the LDAP optimization classes is a simple one:
|
|||
|
make it possible for a PDP to retrieve all the policy-related objects
|
|||
|
it needs, and only those objects, using as few LDAP calls as
|
|||
|
possible. An important assumption underlying this approach is that
|
|||
|
the policy administrator has sufficient control over the underlying
|
|||
|
DIT structure to define subtrees for storing policy information. If
|
|||
|
the policy administrator does not have this level of control over DIT
|
|||
|
structure, a PDP can still retrieve the policy-related objects it
|
|||
|
needs individually. But it will require more LDAP access operations
|
|||
|
to do the retrieval in this way. Figure 7 illustrates how LDAP
|
|||
|
optimization is accomplished.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 16]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
+-----+
|
|||
|
---------------->| A |
|
|||
|
DN reference to | | DN references to subtrees +---+
|
|||
|
starting object +-----+ +-------------------------->| C |
|
|||
|
| o--+----+ +---+ +---+
|
|||
|
| o--+------------->| B | / \
|
|||
|
+-----+ +---+ / \
|
|||
|
/ \ / \ / ... \
|
|||
|
/ \ / \
|
|||
|
/ \ / ... \
|
|||
|
|
|||
|
Figure 7. Using the pcimSubtreesPtrAuxClass to Locate Policies
|
|||
|
|
|||
|
The PDP is configured initially with a DN reference to some entry in
|
|||
|
the DIT. The structural class of this entry is not important; the
|
|||
|
PDP is interested only in the pcimSubtreesPtrAuxClass attached to it.
|
|||
|
This auxiliary class contains a multi-valued attribute with DN
|
|||
|
references to objects that anchor subtrees containing policy-related
|
|||
|
objects of interest to the PDP. Since pcimSubtreesPtrAuxClass is an
|
|||
|
auxiliary class, it can be attached to an entry that the PDP would
|
|||
|
need to access anyway - perhaps an entry containing initial
|
|||
|
configuration settings for the PDP, or for a PEP that uses the PDP.
|
|||
|
|
|||
|
Once it has retrieved the DN references, the PDP will direct to each
|
|||
|
of the objects identified by them an LDAP request that all entries in
|
|||
|
its subtree be evaluated against the selection criteria specified in
|
|||
|
the request. The LDAP-enabled directory then returns all entries in
|
|||
|
that subtree that satisfy the specified criteria.
|
|||
|
|
|||
|
The selection criteria always specify that object class="pcimPolicy".
|
|||
|
Since all classes representing policy rules, policy conditions, and
|
|||
|
policy actions, both in the PCLS and in any domain-specific schema
|
|||
|
derived from it, are subclasses of the abstract class policy, this
|
|||
|
criterion evaluates to TRUE for all instances of these classes. To
|
|||
|
accommodate special cases where a PDP needs to retrieve objects that
|
|||
|
are not inherently policy-related (for example, an IP address range
|
|||
|
object referenced by a subclass of pcimActionAuxClass representing
|
|||
|
the DHCP action "assign from this address range"), the auxiliary
|
|||
|
class pcimElementAuxClass can be used to "tag" an entry, so that it
|
|||
|
will be found by the selection criterion "object class=pcimPolicy".
|
|||
|
|
|||
|
The approach described in the preceding paragraph will not work for
|
|||
|
certain directory implementations, because these implementations do
|
|||
|
not support matching of auxiliary classes in the objectClass
|
|||
|
attribute. For environments where these implementations are expected
|
|||
|
to be present, the "tagging" of entries as relevant to policy can be
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 17]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
accomplished by inserting the special value "POLICY" into the list of
|
|||
|
values contained in the pcimKeywords attribute (provided by the
|
|||
|
pcimPolicy class).
|
|||
|
|
|||
|
If a PDP needs only a subset of the policy-related objects in the
|
|||
|
indicated subtrees, then it can be configured with additional
|
|||
|
selection criteria based on the pcimKeywords attribute defined in the
|
|||
|
pcimPolicy class. This attribute supports both standardized and
|
|||
|
administrator- defined values. For example, a PDP could be
|
|||
|
configured to request only those policy-related objects containing
|
|||
|
the keywords "DHCP" and "Eastern US".
|
|||
|
|
|||
|
To optimize what is expected to be a typical case, the initial
|
|||
|
request from the client includes not only the object to which its
|
|||
|
"seed" DN references, but also the subtree contained under this
|
|||
|
object. The filter for searching this subtree is whatever the client
|
|||
|
is going to use later to search the other subtrees: object
|
|||
|
class="pcimPolicy" or the presence of the keyword "POLICY", and/or
|
|||
|
presence of a more specific value of pcimKeywords (e.g., "QoS Edge
|
|||
|
Policy").
|
|||
|
|
|||
|
Returning to the example in Figure 7, we see that in the best case, a
|
|||
|
PDP can get all the policy-related objects it needs, and only those
|
|||
|
objects, with exactly three LDAP requests: one to its starting
|
|||
|
object A to get the references to B and C, as well as the
|
|||
|
policy-related objects it needs from the subtree under A, and then
|
|||
|
one each to B and C to get all the policy-related objects that pass
|
|||
|
the selection criteria with which it was configured. Once it has
|
|||
|
retrieved all of these objects, the PDP can then traverse their
|
|||
|
various DN references locally to understand the semantic
|
|||
|
relationships among them. The PDP should also be prepared to find a
|
|||
|
reference to another subtree attached to any of the objects it
|
|||
|
retrieves, and to follow this reference first, before it follows any
|
|||
|
of the semantically significant references it has received. This
|
|||
|
recursion permits a structured approach to identifying related
|
|||
|
policies. In Figure 7, for example, if the subtree under B includes
|
|||
|
departmental policies and the one under C includes divisional
|
|||
|
policies, then there might be a reference from the subtree under C to
|
|||
|
an object D that roots the subtree of corporate-level policies.
|
|||
|
|
|||
|
A PDP SHOULD understand the pcimSubtreesPtrAuxClass class, SHOULD be
|
|||
|
capable of retrieving and processing the entries in the subtrees it
|
|||
|
references, and SHOULD be capable of doing all of this recursively.
|
|||
|
The same requirements apply to any other entity needing to retrieve
|
|||
|
policy information from the directory. Thus, a Policy Management
|
|||
|
Tool that retrieves policy entries from the directory in order to
|
|||
|
perform validation and conflict detection SHOULD also understand and
|
|||
|
be capable of using the pcimSubtreesPtrAuxClass. All of these
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 18]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
requirements are "SHOULD"s rather than "MUST"s because an LDAP client
|
|||
|
that doesn't implement them can still access and retrieve the
|
|||
|
directory entries it needs. The process of doing so will just be
|
|||
|
less efficient than it would have been if the client had implemented
|
|||
|
these optimizations.
|
|||
|
|
|||
|
When it is serving as a tool for creating policy entries in the
|
|||
|
directory, a Policy Management Tool SHOULD support creation of
|
|||
|
pcimSubtreesPtrAuxClass entries and their references to object
|
|||
|
instances.
|
|||
|
|
|||
|
4.5.1. Aliases and Other DIT-Optimization Techniques
|
|||
|
|
|||
|
Additional flexibility in DIT structure is available to the policy
|
|||
|
administrator via LDAP aliasing and other techniques. Previous
|
|||
|
versions of this document have used aliases. However, because
|
|||
|
aliases are experimental, the use of aliases has been removed from
|
|||
|
this version of this document. This is because the IETF has yet to
|
|||
|
produce a specification on how aliases are represented in the
|
|||
|
directory or how server implementations are to process aliases.
|
|||
|
|
|||
|
5. Class Definitions
|
|||
|
|
|||
|
The semantics for the policy information classes that are to be
|
|||
|
mapped directly from the information model to an LDAP representation
|
|||
|
are detailed in [1]. Consequently, all that this document presents
|
|||
|
for these classes is the specification for how to do the mapping from
|
|||
|
the information model (which is independent of repository type and
|
|||
|
access protocol) to a form that can be accessed using LDAP. Remember
|
|||
|
that some new classes needed to be created (that were not part of
|
|||
|
[1]) to implement the LDAP mapping. These new LDAP-only classes are
|
|||
|
fully documented in this document.
|
|||
|
|
|||
|
The formal language for specifying the classes, attributes, and DIT
|
|||
|
structure and content rules is that defined in reference [3]. If
|
|||
|
your implementation does not support auxiliary class inheritance, you
|
|||
|
will have to list auxiliary classes in content rules explicitly or
|
|||
|
define them in another (implementation-specific) way.
|
|||
|
|
|||
|
The following notes apply to this section in its entirety.
|
|||
|
|
|||
|
Note 1: in the following definitions, the class and attribute
|
|||
|
definitions follow RFC 2252 [3] but they are line-wrapped to enhance
|
|||
|
human readability.
|
|||
|
|
|||
|
Note 2: where applicable, the possibilities for specifying DIT
|
|||
|
structure and content rules are noted. However, care must be taken
|
|||
|
in specifying DIT structure rules. This is because X.501 [4] states
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 19]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
that an entry may only exist in the DIT as a subordinate to another
|
|||
|
superior entry (the superior) if a DIT structure rule exists in the
|
|||
|
governing subschema which:
|
|||
|
|
|||
|
1) indicates a name form for the structural object class of the
|
|||
|
subordinate entry, and
|
|||
|
2) either includes the entry's superior structure rule as a possible
|
|||
|
superior structure rule, or
|
|||
|
3) does not specify a superior structure rule.
|
|||
|
|
|||
|
If this last case (3) applies, then the entry is defined to be a
|
|||
|
subschema administrative point. This is not what is desired.
|
|||
|
Therefore, care must be taken in defining structure rules, and in
|
|||
|
particular, they must be locally augmented.
|
|||
|
|
|||
|
Note 3: Wherever possible, both an equality and a substring matching
|
|||
|
rule are defined for a particular attribute (as well as an ordering
|
|||
|
match rule to enable sorting of matching results). This provides two
|
|||
|
different choices for the developer for maximum flexibility.
|
|||
|
|
|||
|
For example, consider the pcimRoles attribute (section 5.3). Suppose
|
|||
|
that a PEP has reported that it is interested in pcimRules for three
|
|||
|
roles R1, R2, and R3. If the goal is to minimize queries, then the
|
|||
|
PDP can supply three substring filters containing the three role
|
|||
|
names.
|
|||
|
|
|||
|
These queries will return all of the pcimRules that apply to the PEP,
|
|||
|
but they may also get some that do not apply (e.g., ones that contain
|
|||
|
one of the roles R1, R2, or R3 and one or more other roles present in
|
|||
|
a role-combination [1]).
|
|||
|
|
|||
|
Another strategy would be for the PDP to use only equality filters.
|
|||
|
This approach eliminates the extraneous replies, but it requires the
|
|||
|
PDP to explicitly build the desired role-combinations itself. It
|
|||
|
also requires extra queries. Note that this approach is practical
|
|||
|
only because the role names in a role combination are required to
|
|||
|
appear in alphabetical order.
|
|||
|
|
|||
|
Note 4: in the following definitions, note that all LDAP matching
|
|||
|
rules are defined in [3] and in [9]. The corresponding X.500
|
|||
|
matching rules are defined in [8].
|
|||
|
|
|||
|
Note 5: some of the following attribute definitions specify
|
|||
|
additional constraints on various data types (e.g., this integer has
|
|||
|
values that are valid from 1..10). Text has been added to instruct
|
|||
|
servers and applications what to do if a value outside of this range
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 20]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
is encountered. In all cases, if a constraint is violated, then the
|
|||
|
policy rule SHOULD be treated as being disabled, meaning that
|
|||
|
execution of the policy rule SHOULD be stopped.
|
|||
|
|
|||
|
5.1. The Abstract Class pcimPolicy
|
|||
|
|
|||
|
The abstract class pcimPolicy is a direct mapping of the abstract
|
|||
|
class Policy from the PCIM. The class value "pcimPolicy" is also
|
|||
|
used as the mechanism for identifying policy-related instances in the
|
|||
|
Directory Information Tree. An instance of any class may be "tagged"
|
|||
|
with this class value by attaching to it the auxiliary class
|
|||
|
pcimElementAuxClass. Since pcimPolicy is derived from the class
|
|||
|
dlm1ManagedElement defined in reference [6], this specification has a
|
|||
|
normative dependency on that element of reference [6].
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.1 NAME 'pcimPolicy'
|
|||
|
DESC 'An abstract class that is the base class for all classes
|
|||
|
that describe policy-related instances.'
|
|||
|
SUP dlm1ManagedElement
|
|||
|
ABSTRACT
|
|||
|
MAY ( cn $ dlmCaption $ dlmDescription $ orderedCimKeys $
|
|||
|
pcimKeywords )
|
|||
|
)
|
|||
|
|
|||
|
The attribute cn is defined in RFC 2256 [7]. The dlmCaption,
|
|||
|
dlmDescription, and orderedCimKeys attributes are defined in [6].
|
|||
|
|
|||
|
The pcimKeywords attribute is a multi-valued attribute that contains
|
|||
|
a set of keywords to assist directory clients in locating the policy
|
|||
|
objects identified by these keywords. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.3 NAME 'pcimKeywords'
|
|||
|
DESC 'A set of keywords to assist directory clients in
|
|||
|
locating the policy objects applicable to them.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 21]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
5.2. The Three Policy Group Classes
|
|||
|
|
|||
|
PCIM [1] defines the PolicyGroup class to serve as a generalized
|
|||
|
aggregation mechanism, enabling PolicyRules and/or PolicyGroups to be
|
|||
|
aggregated together. PCLS maps this class into three LDAP classes,
|
|||
|
called pcimGroup, pcimGroupAuxClass, and pcimGroupInstance. This is
|
|||
|
done in order to provide maximum flexibility for the DIT designer.
|
|||
|
|
|||
|
The class definitions for the three policy group classes are listed
|
|||
|
below. These class definitions do not include attributes to realize
|
|||
|
the PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup associations
|
|||
|
from the PCIM. This is because a pcimGroup object refers to
|
|||
|
instances of pcimGroup and pcimRule via, respectively, the attribute
|
|||
|
pcimGroupsAuxContainedSet in the pcimGroupContainmentAuxClass object
|
|||
|
class and the attribute pcimRulesAuxContainedSet in the
|
|||
|
pcimRuleContainmentAuxClass object class.
|
|||
|
|
|||
|
To maximize flexibility, the pcimGroup class is defined as abstract.
|
|||
|
The subclass pcimGroupAuxClass provides for auxiliary attachment to
|
|||
|
another entry, while the structural subclass pcimGroupInstance is
|
|||
|
available to represent a policy group as a standalone entry.
|
|||
|
|
|||
|
The class definitions are as follows. First, the definition of the
|
|||
|
abstract class pcimGroup:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.2 NAME 'pcimGroup'
|
|||
|
DESC 'A container for a set of related pcimRules and/or
|
|||
|
a set of related pcimGroups.'
|
|||
|
SUP pcimPolicy
|
|||
|
ABSTRACT
|
|||
|
MAY ( pcimGroupName )
|
|||
|
)
|
|||
|
|
|||
|
The one attribute of pcimGroup is pcimGroupName. This attribute is
|
|||
|
used to define a user-friendly name of this policy group, and may be
|
|||
|
used as a naming attribute if desired. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.4 NAME 'pcimGroupName'
|
|||
|
DESC 'The user-friendly name of this policy group.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 22]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The two subclasses of pcimGroup are defined as follows. The class
|
|||
|
pcimGroupAuxClass is an auxiliary class that can be used to collect a
|
|||
|
set of related pcimRule and/or pcimGroup classes. It is defined as
|
|||
|
follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.3 NAME 'pcimGroupAuxClass'
|
|||
|
DESC 'An auxiliary class that collects a set of related
|
|||
|
pcimRule and/or pcimGroup entries.'
|
|||
|
SUP pcimGroup
|
|||
|
AUXILIARY
|
|||
|
)
|
|||
|
|
|||
|
The class pcimGroupInstance is a structural class that can be used to
|
|||
|
collect a set of related pcimRule and/or pcimGroup classes. It is
|
|||
|
defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.4 NAME 'pcimGroupInstance'
|
|||
|
DESC 'A structural class that collects a set of related
|
|||
|
pcimRule and/or pcimGroup entries.'
|
|||
|
SUP pcimGroup
|
|||
|
STRUCTURAL
|
|||
|
)
|
|||
|
|
|||
|
A DIT content rule could be written to enable an instance of
|
|||
|
pcimGroupInstance to have attached to it either references to one or
|
|||
|
more policy groups (using pcimGroupContainmentAuxClass) or references
|
|||
|
to one or more policy rules (using pcimRuleContainmentAuxClass).
|
|||
|
This would be used to formalize the semantics of the PolicyGroup
|
|||
|
class [1]. Since these semantics do not include specifying any
|
|||
|
properties of the PolicyGroup class, the content rule would not need
|
|||
|
to specify any attributes.
|
|||
|
|
|||
|
Similarly, three separate DIT structure rules could be written, each
|
|||
|
of which would refer to a specific name form that identified one of
|
|||
|
the three possible naming attributes (i.e., pcimGroupName, cn, and
|
|||
|
orderedCIMKeys) for the pcimGroup object class. This structure rule
|
|||
|
SHOULD include a superiorStructureRule (see Note 2 at the beginning
|
|||
|
of section 5). The three name forms referenced by the three
|
|||
|
structure rules would each define one of the three naming attributes.
|
|||
|
|
|||
|
5.3. The Three Policy Rule Classes
|
|||
|
|
|||
|
The information model defines a PolicyRule class to represent the "If
|
|||
|
Condition then Action" semantics associated with processing policy
|
|||
|
information. For maximum flexibility, the PCLS maps this class into
|
|||
|
three LDAP classes.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 23]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
To maximize flexibility, the pcimRule class is defined as abstract.
|
|||
|
The subclass pcimRuleAuxClass provides for auxiliary attachment to
|
|||
|
another entry, while the structural subclass pcimRuleInstance is
|
|||
|
available to represent a policy rule as a standalone entry.
|
|||
|
|
|||
|
The conditions and actions associated with a policy rule are modeled,
|
|||
|
respectively, with auxiliary subclasses of the auxiliary classes
|
|||
|
pcimConditionAuxClass and pcimActionAuxClass. Each of these
|
|||
|
auxiliary subclasses is attached to an instance of one of three
|
|||
|
structural classes. A subclass of pcimConditionAuxClass is attached
|
|||
|
to an instance of pcimRuleInstance, to an instance of
|
|||
|
pcimRuleConditionAssociation, or to an instance of
|
|||
|
pcimPolicyInstance. Similarly, a subclass of pcimActionAuxClass is
|
|||
|
attached to an instance of pcimRuleInstance, to an instance of
|
|||
|
pcimRuleActionAssociation, or to an instance of pcimPolicyInstance.
|
|||
|
|
|||
|
The pcimRuleValidityPeriodList attribute (defined below) realizes the
|
|||
|
PolicyRuleValidityPeriod association defined in the PCIM. Since this
|
|||
|
association has no additional properties besides those that tie the
|
|||
|
association to its associated objects, this association can be
|
|||
|
realized by simply using an attribute. Thus, the
|
|||
|
pcimRuleValidityPeriodList attribute is simply a multi-valued
|
|||
|
attribute that provides an unordered set of DN references to one or
|
|||
|
more instances of the pcimTPCAuxClass, indicating when the policy
|
|||
|
rule is scheduled to be active and when it is scheduled to be
|
|||
|
inactive. A policy rule is scheduled to be active if it is active
|
|||
|
according to AT LEAST ONE of the pcimTPCAuxClass instances referenced
|
|||
|
by this attribute.
|
|||
|
|
|||
|
The PolicyConditionInPolicyRule and PolicyActionInPolicyRule
|
|||
|
associations, however, do have additional attributes. The
|
|||
|
association PolicyActionInPolicyRule defines an integer attribute to
|
|||
|
sequence the actions, and the association PolicyConditionInPolicyRule
|
|||
|
has both an integer attribute to group the condition terms as well as
|
|||
|
a Boolean property to specify whether a condition is to be negated.
|
|||
|
|
|||
|
In the PCLS, these additional association attributes are represented
|
|||
|
as attributes of two classes introduced specifically to model these
|
|||
|
associations. These classes are the pcimRuleConditionAssociation
|
|||
|
class and the pcimRuleActionAssociation class, which are defined in
|
|||
|
Sections 5.4 and 5.5, respectively. Thus, they do not appear as
|
|||
|
attributes of the class pcimRule. Instead, the pcimRuleConditionList
|
|||
|
and pcimRuleActionList attributes can be used to reference these
|
|||
|
classes.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 24]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The class definitions for the three pcimRule classes are as follows.
|
|||
|
|
|||
|
The abstract class pcimRule is a base class for representing the "If
|
|||
|
Condition then Action" semantics associated with a policy rule. It
|
|||
|
is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.5 NAME 'pcimRule'
|
|||
|
DESC 'The base class for representing the "If Condition
|
|||
|
then Action" semantics associated with a policy rule.'
|
|||
|
SUP pcimPolicy
|
|||
|
ABSTRACT
|
|||
|
MAY ( pcimRuleName $ pcimRuleEnabled $
|
|||
|
pcimRuleConditionListType $ pcimRuleConditionList $
|
|||
|
pcimRuleActionList $ pcimRuleValidityPeriodList $
|
|||
|
pcimRuleUsage $ pcimRulePriority $
|
|||
|
pcimRuleMandatory $ pcimRuleSequencedActions $
|
|||
|
pcimRoles )
|
|||
|
)
|
|||
|
|
|||
|
The PCIM [1] defines seven properties for the PolicyRule class. The
|
|||
|
PCLS defines eleven attributes for the pcimRule class, which is the
|
|||
|
LDAP equivalent of the PolicyRule class. Of these eleven attributes,
|
|||
|
seven are mapped directly from corresponding properties in PCIM's
|
|||
|
PolicyRule class. The remaining four attributes are a class-specific
|
|||
|
optional naming attribute, and three attributes used to realize the
|
|||
|
three associations that the pcimRule class participates in.
|
|||
|
|
|||
|
The pcimRuleName attribute is used as a user-friendly name of this
|
|||
|
policy rule, and can also serve as the class-specific optional naming
|
|||
|
attribute. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.5 NAME 'pcimRuleName'
|
|||
|
DESC 'The user-friendly name of this policy rule.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The pcimRuleEnabled attribute is an integer enumeration indicating
|
|||
|
whether a policy rule is administratively enabled (value=1),
|
|||
|
administratively disabled (value=2), or enabled for debug (value=3).
|
|||
|
It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.6 NAME 'pcimRuleEnabled'
|
|||
|
DESC 'An integer indicating whether a policy rule is
|
|||
|
administratively enabled (value=1), disabled
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 25]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
(value=2), or enabled for debug (value=3).'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note: All other values for the pcimRuleEnabled attribute are
|
|||
|
considered errors, and the administrator SHOULD treat this rule as
|
|||
|
being disabled if an invalid value is found.
|
|||
|
|
|||
|
The pcimRuleConditionListType attribute is used to indicate whether
|
|||
|
the list of policy conditions associated with this policy rule is in
|
|||
|
disjunctive normal form (DNF, value=1) or conjunctive normal form
|
|||
|
(CNF, value=2). It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.7 NAME 'pcimRuleConditionListType'
|
|||
|
DESC 'A value of 1 means that this policy rule is in
|
|||
|
disjunctive normal form; a value of 2 means that this
|
|||
|
policy rule is in conjunctive normal form.'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note: any value other than 1 or 2 for the pcimRuleConditionListType
|
|||
|
attribute is considered an error. Administrators SHOULD treat this
|
|||
|
rule as being disabled if an invalid value is found, since it is
|
|||
|
unclear how to structure the condition list.
|
|||
|
|
|||
|
The pcimRuleConditionList attribute is a multi-valued attribute that
|
|||
|
is used to realize the policyRuleInPolicyCondition association
|
|||
|
defined in [1]. It contains a set of DNs of
|
|||
|
pcimRuleConditionAssociation entries representing associations
|
|||
|
between this policy rule and its conditions. No order is implied.
|
|||
|
It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.8 NAME 'pcimRuleConditionList'
|
|||
|
DESC 'Unordered set of DNs of pcimRuleConditionAssociation
|
|||
|
entries representing associations between this policy
|
|||
|
rule and its conditions.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 26]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The pcimRuleActionList attribute is a multi-valued attribute that is
|
|||
|
used to realize the policyRuleInPolicyAction association defined in
|
|||
|
[1]. It contains a set of DNs of pcimRuleActionAssociation entries
|
|||
|
representing associations between this policy rule and its actions.
|
|||
|
No order is implied. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.9 NAME 'pcimRuleActionList'
|
|||
|
DESC 'Unordered set of DNs of pcimRuleActionAssociation
|
|||
|
entries representing associations between this policy
|
|||
|
rule and its actions.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
)
|
|||
|
|
|||
|
The pcimRuleValidityPeriodList attribute is a multi-valued attribute
|
|||
|
that is used to realize the pcimRuleValidityPeriod association that
|
|||
|
is defined in [1]. It contains a set of DNs of
|
|||
|
pcimRuleValidityAssociation entries that determine when the pcimRule
|
|||
|
is scheduled to be active or inactive. No order is implied. It is
|
|||
|
defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.10 NAME 'pcimRuleValidityPeriodList'
|
|||
|
DESC 'Unordered set of DNs of pcimRuleValidityAssociation
|
|||
|
entries that determine when the pcimRule is scheduled
|
|||
|
to be active or inactive.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
)
|
|||
|
|
|||
|
The pcimRuleUsage attribute is a free-form string providing
|
|||
|
guidelines on how this policy should be used. It is defined as
|
|||
|
follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.11 NAME 'pcimRuleUsage'
|
|||
|
DESC 'This attribute is a free-form sting providing
|
|||
|
guidelines on how this policy should be used.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 27]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The pcimRulePriority attribute is a non-negative integer that is used
|
|||
|
to prioritize this pcimRule relative to other pcimRules. A larger
|
|||
|
value indicates a higher priority. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.12 NAME 'pcimRulePriority'
|
|||
|
DESC 'A non-negative integer for prioritizing this
|
|||
|
pcimRule relative to other pcimRules. A larger
|
|||
|
value indicates a higher priority.'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note: if the value of the pcimRulePriority field is 0, then it SHOULD
|
|||
|
be treated as "don't care". On the other hand, if the value is
|
|||
|
negative, then it SHOULD be treated as an error and Administrators
|
|||
|
SHOULD treat this rule as being disabled.
|
|||
|
|
|||
|
The pcimRuleMandatory attribute is a Boolean attribute that, if TRUE,
|
|||
|
indicates that for this policy rule, the evaluation of its conditions
|
|||
|
and execution of its actions (if the condition is satisfied) is
|
|||
|
required. If it is FALSE, then the evaluation of its conditions and
|
|||
|
execution of its actions (if the condition is satisfied) is not
|
|||
|
required. This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.13 NAME 'pcimRuleMandatory'
|
|||
|
DESC 'If TRUE, indicates that for this policy rule, the
|
|||
|
evaluation of its conditions and execution of its
|
|||
|
actions (if the condition is satisfied) is required.'
|
|||
|
EQUALITY booleanMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The pcimRuleSequencedActions attribute is an integer enumeration that
|
|||
|
is used to indicate that the ordering of actions defined by the
|
|||
|
pcimActionOrder attribute is either mandatory(value=1),
|
|||
|
recommended(value=2), or dontCare(value=3). It is defined as
|
|||
|
follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.14 NAME 'pcimRuleSequencedActions'
|
|||
|
DESC 'An integer enumeration indicating that the ordering of
|
|||
|
actions defined by the pcimActionOrder attribute is
|
|||
|
mandatory(1), recommended(2), or dontCare(3).'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 28]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note: if the value of pcimRulesSequencedActions field is not one of
|
|||
|
these three values, then Administrators SHOULD treat this rule as
|
|||
|
being disabled.
|
|||
|
|
|||
|
The pcimRoles attribute represents the policyRoles property of [1].
|
|||
|
Each value of this attribute represents a role-combination, which is
|
|||
|
a string of the form:
|
|||
|
<RoleName>[&&<RoleName>]* where the individual role names appear
|
|||
|
in alphabetical order according to the collating sequence for UCS-2.
|
|||
|
This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.15 NAME 'pcimRoles'
|
|||
|
DESC 'Each value of this attribute represents a role-
|
|||
|
combination.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
)
|
|||
|
|
|||
|
Note: if the value of the pcimRoles attribute does not conform to the
|
|||
|
format "<RoleName>[&&<RoleName>]*" (see Section 6.3.7 of [1]), then
|
|||
|
this attribute is malformed and its policy rule SHOULD be treated as
|
|||
|
being disabled.
|
|||
|
|
|||
|
The two subclasses of the pcimRule class are defined as follows.
|
|||
|
First, the pcimRuleAuxClass is an auxiliary class for representing
|
|||
|
the "If Condition then Action" semantics associated with a policy
|
|||
|
rule. Its class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.6 NAME 'pcimRuleAuxClass'
|
|||
|
DESC 'An auxiliary class for representing the "If Condition
|
|||
|
then Action" semantics associated with a policy rule.'
|
|||
|
SUP pcimRule
|
|||
|
AUXILIARY
|
|||
|
)
|
|||
|
|
|||
|
The pcimRuleInstance is a structural class for representing the "If
|
|||
|
Condition then Action" semantics associated with a policy rule. Its
|
|||
|
class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.7 NAME 'pcimRuleInstance'
|
|||
|
DESC 'A structural class for representing the "If Condition
|
|||
|
then Action" semantics associated with a policy rule.'
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 29]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
SUP pcimRule
|
|||
|
STRUCTURAL
|
|||
|
)
|
|||
|
|
|||
|
A DIT content rule could be written to enable an instance of
|
|||
|
pcimRuleInstance to have attached to it either references to one or
|
|||
|
more policy conditions (using pcimConditionAuxClass) or references to
|
|||
|
one or more policy actions (using pcimActionAuxClass). This would be
|
|||
|
used to formalize the semantics of the PolicyRule class [1]. Since
|
|||
|
these semantics do not include specifying any properties of the
|
|||
|
PolicyRule class, the content rule would not need to specify any
|
|||
|
attributes.
|
|||
|
|
|||
|
Similarly, three separate DIT structure rules could be written, each
|
|||
|
of which would refer to a specific name form that identified one of
|
|||
|
its three possible naming attributes (i.e., pcimRuleName, cn, and
|
|||
|
orderedCIMKeys). This structure rule SHOULD include a
|
|||
|
superiorStructureRule (see Note 2 at the beginning of section 5).
|
|||
|
The three name forms referenced by the three structure rules would
|
|||
|
each define one of the three naming attributes.
|
|||
|
|
|||
|
5.4. The Class pcimRuleConditionAssociation
|
|||
|
|
|||
|
This class contains attributes to represent the properties of the
|
|||
|
PCIM's PolicyConditionInPolicyRule association. Instances of this
|
|||
|
class are related to an instance of pcimRule via DIT containment.
|
|||
|
The policy conditions themselves are represented by auxiliary
|
|||
|
subclasses of the auxiliary class pcimConditionAuxClass. These
|
|||
|
auxiliary classes are attached directly to instances of
|
|||
|
pcimRuleConditionAssociation for rule-specific policy conditions.
|
|||
|
For a reusable policy condition, the policyCondition auxiliary
|
|||
|
subclass is attached to an instance of the class pcimPolicyInstance
|
|||
|
(which is presumably associated with a pcimRepository by DIT
|
|||
|
containment), and the policyConditionDN attribute (of this class) is
|
|||
|
used to reference the reusable policyCondition instance.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.8 NAME 'pcimRuleConditionAssociation'
|
|||
|
DESC 'This class contains attributes characterizing the
|
|||
|
relationship between a policy rule and one of its
|
|||
|
policy conditions.'
|
|||
|
SUP pcimPolicy
|
|||
|
MUST ( pcimConditionGroupNumber $ pcimConditionNegated )
|
|||
|
MAY ( pcimConditionName $ pcimConditionDN )
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 30]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The attributes of this class are defined as follows.
|
|||
|
|
|||
|
The pcimConditionGroupNumber attribute is a non-negative integer. It
|
|||
|
is used to identify the group to which the condition referenced by
|
|||
|
this association is assigned. This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.16
|
|||
|
NAME 'pcimConditionGroupNumber'
|
|||
|
DESC 'The number of the group to which a policy condition
|
|||
|
belongs. This is used to form the DNF or CNF
|
|||
|
expression associated with a policy rule.'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note that this number is non-negative. A negative value for this
|
|||
|
attribute is invalid, and any policy rule that refers to an invalid
|
|||
|
entry SHOULD be treated as being disabled.
|
|||
|
|
|||
|
The pcimConditionNegated attribute is a Boolean attribute that
|
|||
|
indicates whether this policy condition is to be negated or not. If
|
|||
|
it is TRUE (FALSE), it indicates that a policy condition IS (IS NOT)
|
|||
|
negated in the DNF or CNF expression associated with a policy rule.
|
|||
|
This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.17
|
|||
|
NAME 'pcimConditionNegated'
|
|||
|
DESC 'If TRUE (FALSE), it indicates that a policy condition
|
|||
|
IS (IS NOT) negated in the DNF or CNF expression
|
|||
|
associated with a policy rule.'
|
|||
|
EQUALITY booleanMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The pcimConditionName is a user-friendly name for identifying this
|
|||
|
policy condition, and may be used as a naming attribute if desired.
|
|||
|
This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.18
|
|||
|
NAME 'pcimConditionName'
|
|||
|
DESC 'A user-friendly name for a policy condition.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 31]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The pcimConditionDN attribute is a DN that references an instance of
|
|||
|
a reusable policy condition. This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.19
|
|||
|
NAME 'pcimConditionDN'
|
|||
|
DESC 'A DN that references an instance of a reusable policy
|
|||
|
condition.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
A DIT content rule could be written to enable an instance of
|
|||
|
pcimRuleConditionAssociation to have attached to it an instance of
|
|||
|
the auxiliary class pcimConditionAuxClass, or one of its subclasses.
|
|||
|
This would be used to formalize the semantics of the
|
|||
|
PolicyConditionInPolicyRule association. Specifically, this would be
|
|||
|
used to represent a rule-specific policy condition [1].
|
|||
|
Similarly, three separate DIT structure rules could be written. Each
|
|||
|
of these DIT structure rules would refer to a specific name form that
|
|||
|
defined two important semantics. First, each name form would
|
|||
|
identify one of the three possible naming attributes (i.e.,
|
|||
|
pcimConditionName, cn, and orderedCIMKeys) for the
|
|||
|
pcimRuleConditionAssociation object class. Second, each name form
|
|||
|
would require that an instance of the pcimRuleConditionAssociation
|
|||
|
class have as its superior an instance of the pcimRule class. This
|
|||
|
structure rule SHOULD also include a superiorStructureRule (see Note
|
|||
|
2 at the beginning of section 5).
|
|||
|
|
|||
|
5.5. The Class pcimRuleValidityAssociation
|
|||
|
|
|||
|
The policyRuleValidityPeriod aggregation is mapped to the PCLS
|
|||
|
pcimRuleValidityAssociation class. This class represents the
|
|||
|
scheduled activation and deactivation of a policy rule by binding the
|
|||
|
definition of times that the policy is active to the policy rule
|
|||
|
itself. The "scheduled" times are either identified through an
|
|||
|
attached auxiliary class pcimTPCAuxClass, or are referenced through
|
|||
|
its pcimTimePeriodConditionDN attribute.
|
|||
|
|
|||
|
This class is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.9 NAME 'pcimRuleValidityAssociation'
|
|||
|
DESC 'This defines the scheduled activation or deactivation
|
|||
|
of a policy rule.'
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 32]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
SUP pcimPolicy
|
|||
|
STRUCTURAL
|
|||
|
MAY ( pcimValidityConditionName $ pcimTimePeriodConditionDN )
|
|||
|
)
|
|||
|
|
|||
|
The attributes of this class are defined as follows:
|
|||
|
|
|||
|
The pcimValidityConditionName attribute is used to define a
|
|||
|
user-friendly name of this condition, and may be used as a naming
|
|||
|
attribute if desired. This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.20
|
|||
|
NAME 'pcimValidityConditionName'
|
|||
|
DESC 'A user-friendly name for identifying an instance of
|
|||
|
a pcimRuleValidityAssociation entry.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The pcimTimePeriodConditionDN attribute is a DN that references a
|
|||
|
reusable time period condition. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.21
|
|||
|
NAME 'pcimTimePeriodConditionDN'
|
|||
|
DESC 'A reference to a reusable policy time period
|
|||
|
condition.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
A DIT content rule could be written to enable an instance of
|
|||
|
pcimRuleValidityAssociation to have attached to it an instance of the
|
|||
|
auxiliary class pcimTPCAuxClass, or one of its subclasses. This
|
|||
|
would be used to formalize the semantics of the
|
|||
|
PolicyRuleValidityPeriod aggregation [1].
|
|||
|
|
|||
|
Similarly, three separate DIT structure rules could be written. Each
|
|||
|
of these DIT structure rules would refer to a specific name form that
|
|||
|
defined two important semantics. First, each name form would
|
|||
|
identify one of the three possible naming attributes (i.e.,
|
|||
|
pcimValidityConditionName, cn, and orderedCIMKeys) for the
|
|||
|
pcimRuleValidityAssociation object class. Second, each name form
|
|||
|
would require that an instance of the pcimRuleValidityAssociation
|
|||
|
class have as its superior an instance of the pcimRule class. This
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 33]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
structure rule SHOULD also include a superiorStructureRule (see Note
|
|||
|
2 at the beginning of section 5).
|
|||
|
|
|||
|
5.6. The Class pcimRuleActionAssociation
|
|||
|
|
|||
|
This class contains an attribute to represent the one property of the
|
|||
|
PCIM PolicyActionInPolicyRule association, ActionOrder. This
|
|||
|
property is used to specify an order for executing the actions
|
|||
|
associated with a policy rule. Instances of this class are related
|
|||
|
to an instance of pcimRule via DIT containment. The actions
|
|||
|
themselves are represented by auxiliary subclasses of the auxiliary
|
|||
|
class pcimActionAuxClass.
|
|||
|
|
|||
|
These auxiliary classes are attached directly to instances of
|
|||
|
pcimRuleActionAssociation for rule-specific policy actions. For a
|
|||
|
reusable policy action, the pcimAction auxiliary subclass is attached
|
|||
|
to an instance of the class pcimPolicyInstance (which is presumably
|
|||
|
associated with a pcimRepository by DIT containment), and the
|
|||
|
pcimActionDN attribute (of this class) is used to reference the
|
|||
|
reusable pcimCondition instance.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.10 NAME 'pcimRuleActionAssociation'
|
|||
|
DESC 'This class contains attributes characterizing the
|
|||
|
relationship between a policy rule and one of its
|
|||
|
policy actions.'
|
|||
|
SUP pcimPolicy
|
|||
|
MUST ( pcimActionOrder )
|
|||
|
MAY ( pcimActionName $ pcimActionDN )
|
|||
|
)
|
|||
|
|
|||
|
The pcimActionName attribute is used to define a user-friendly name
|
|||
|
of this action, and may be used as a naming attribute if desired.
|
|||
|
This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.22
|
|||
|
NAME 'pcimActionName'
|
|||
|
DESC 'A user-friendly name for a policy action.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 34]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The pcimActionOrder attribute is an unsigned integer that is used to
|
|||
|
indicate the relative position of an action in a sequence of actions
|
|||
|
that are associated with a given policy rule. When this number is
|
|||
|
positive, it indicates a place in the sequence of actions to be
|
|||
|
performed, with smaller values indicating earlier positions in the
|
|||
|
sequence. If the value is zero, then this indicates that the order
|
|||
|
is irrelevant. Note that if two or more actions have the same
|
|||
|
non-zero value, they may be performed in any order as long as they
|
|||
|
are each performed in the correct place in the overall sequence of
|
|||
|
actions. This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.23
|
|||
|
NAME 'pcimActionOrder'
|
|||
|
DESC 'An integer indicating the relative order of an action
|
|||
|
in the context of a policy rule.'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note: if the value of the pcimActionOrder field is negative, then it
|
|||
|
SHOULD be treated as an error and any policy rule that refers to such
|
|||
|
an entry SHOULD be treated as being disabled.
|
|||
|
|
|||
|
The pcimActionDN attribute is a DN that references a reusable policy
|
|||
|
action. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.24
|
|||
|
NAME 'pcimActionDN'
|
|||
|
DESC 'A DN that references a reusable policy action.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
A DIT content rule could be written to enable an instance of
|
|||
|
pcimRuleActionAssociation to have attached to it an instance of the
|
|||
|
auxiliary class pcimActionAuxClass, or one of its subclasses. This
|
|||
|
would be used to formalize the semantics of the
|
|||
|
PolicyActionInPolicyRule association. Specifically, this would be
|
|||
|
used to represent a rule-specific policy action [1].
|
|||
|
|
|||
|
Similarly, three separate DIT structure rules could be written. Each
|
|||
|
of these DIT structure rules would refer to a specific name form that
|
|||
|
defined two important semantics. First, each name form would
|
|||
|
identify one of the three possible naming attributes (i.e.,
|
|||
|
pcimActionName, cn, and orderedCIMKeys) for the
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 35]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
pcimRuleActionAssociation object class. Second, each name form would
|
|||
|
require that an instance of the pcimRuleActionAssociation class have
|
|||
|
as its superior an instance of the pcimRule class. This structure
|
|||
|
rule should also include a superiorStructureRule (see Note 2 at the
|
|||
|
beginning of section 5).
|
|||
|
|
|||
|
5.7. The Auxiliary Class pcimConditionAuxClass
|
|||
|
|
|||
|
The purpose of a policy condition is to determine whether or not the
|
|||
|
set of actions (contained in the pcimRule that the condition applies
|
|||
|
to) should be executed or not. This class defines the basic
|
|||
|
organizational semantics of a policy condition, as specified in [1].
|
|||
|
Subclasses of this auxiliary class can be attached to instances of
|
|||
|
three other classes in the PCLS. When a subclass of this class is
|
|||
|
attached to an instance of pcimRuleConditionAssociation, or to an
|
|||
|
instance of pcimRule, it represents a rule-specific policy condition.
|
|||
|
When a subclass of this class is attached to an instance of
|
|||
|
pcimPolicyInstance, it represents a reusable policy condition.
|
|||
|
|
|||
|
Since all of the classes to which subclasses of this auxiliary class
|
|||
|
may be attached are derived from the pcimPolicy class, the attributes
|
|||
|
of pcimPolicy will already be defined for the entries to which these
|
|||
|
subclasses attach. Thus, this class is derived directly from "top".
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.11 NAME 'pcimConditionAuxClass'
|
|||
|
DESC 'A class representing a condition to be evaluated in
|
|||
|
conjunction with a policy rule.'
|
|||
|
SUP top
|
|||
|
AUXILIARY
|
|||
|
)
|
|||
|
|
|||
|
5.8. The Auxiliary Class pcimTPCAuxClass
|
|||
|
|
|||
|
The PCIM defines a time period class, PolicyTimePeriodCondition, to
|
|||
|
provide a means of representing the time periods during which a
|
|||
|
policy rule is valid, i.e., active. It also defines an aggregation,
|
|||
|
PolicyRuleValidityPeriod, so that time periods can be associated with
|
|||
|
a PolicyRule. The LDAP mapping also provides two classes, one for
|
|||
|
the time condition itself, and one for the aggregation.
|
|||
|
|
|||
|
In the PCIM, the time period class is named
|
|||
|
PolicyTimePeriodCondition. However, the resulting name of the
|
|||
|
auxiliary class in this mapping (pcimTimePeriodConditionAuxClass)
|
|||
|
exceeds the length of a name that some directories can store.
|
|||
|
Therefore, the name has been shortened to pcimTPCAuxClass.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 36]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.12 NAME 'pcimTPCAuxClass'
|
|||
|
DESC 'This provides the capability of enabling or disabling
|
|||
|
a policy rule according to a predetermined schedule.'
|
|||
|
SUP pcimConditionAuxClass
|
|||
|
AUXILIARY
|
|||
|
MAY ( pcimTPCTime $ pcimTPCMonthOfYearMask $
|
|||
|
pcimTPCDayOfMonthMask $ pcimTPCDayOfWeekMask $
|
|||
|
pcimTPCTimeOfDayMask $ pcimTPCLocalOrUtcTime )
|
|||
|
)
|
|||
|
|
|||
|
The attributes of the pcimTPCAuxClass are defined as follows.
|
|||
|
|
|||
|
The pcimTPCTime attribute represents the time period that a policy
|
|||
|
rule is enabled for. This attribute is defined as a string in [1]
|
|||
|
with a special format which defines a time period with a starting
|
|||
|
date and an ending date separated by a forward slash ("/"), as
|
|||
|
follows:
|
|||
|
|
|||
|
yyyymmddThhmmss/yyyymmddThhmmss
|
|||
|
|
|||
|
where the first date and time may be replaced with the string
|
|||
|
"THISANDPRIOR" or the second date and time may be replaced with the
|
|||
|
string "THISANDFUTURE". This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.25
|
|||
|
NAME 'pcimTPCTime'
|
|||
|
DESC 'The start and end times on which a policy rule is
|
|||
|
valid.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The value of this attribute SHOULD be checked against its defined
|
|||
|
format ("yyyymmddThhmmss/yyyymmddThhmmss", where the first and second
|
|||
|
date strings may be replaced with the strings "THISANDPRIOR" and
|
|||
|
"THISANDFUTURE"). If the value of this attribute does not conform to
|
|||
|
this syntax, then this SHOULD be considered an error and the policy
|
|||
|
rule SHOULD be treated as being disabled.
|
|||
|
|
|||
|
The next four attributes (pcimTPCMonthOfYearMask,
|
|||
|
pcimTPCDayOfMonthMask, pcimTPCDayOfWeekMask, and
|
|||
|
pcimTPCTimeOfDayMask) are all defined as octet strings in [1].
|
|||
|
However, the semantics of each of these attributes are contained in
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 37]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
bit strings of various fixed lengths. Therefore, the PCLS uses a
|
|||
|
syntax of Bit String to represent each of them. The definition of
|
|||
|
these four attributes are as follows.
|
|||
|
|
|||
|
The pcimTPCMonthOfYearMask attribute defines a 12-bit mask
|
|||
|
identifying the months of the year in which a policy rule is valid.
|
|||
|
The format is a bit string of length 12, representing the months of
|
|||
|
the year from January through December. The definition of this
|
|||
|
attribute is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.26
|
|||
|
NAME 'pcimTPCMonthOfYearMask'
|
|||
|
DESC 'This identifies the valid months of the year for a
|
|||
|
policy rule using a 12-bit string that represents the
|
|||
|
months of the year from January through December.'
|
|||
|
EQUALITY bitStringMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The value of this attribute SHOULD be checked against its defined
|
|||
|
format. If the value of this attribute does not conform to this
|
|||
|
syntax, then this SHOULD be considered an error and the policy rule
|
|||
|
SHOULD be treated as being disabled.
|
|||
|
|
|||
|
The pcimTPCMonthOfDayMask attribute defines a mask identifying the
|
|||
|
days of the month on which a policy rule is valid. The format is a
|
|||
|
bit string of length 62. The first 31 positions represent the days
|
|||
|
of the month in ascending order, from day 1 to day 31. The next 31
|
|||
|
positions represent the days of the month in descending order, from
|
|||
|
the last day to the day 31 days from the end. The definition of this
|
|||
|
attribute is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.27
|
|||
|
NAME 'pcimTPCDayOfMonthMask'
|
|||
|
DESC 'This identifies the valid days of the month for a
|
|||
|
policy rule using a 62-bit string. The first 31
|
|||
|
positions represent the days of the month in ascending
|
|||
|
order, and the next 31 positions represent the days of
|
|||
|
the month in descending order.'
|
|||
|
EQUALITY bitStringMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 38]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The value of this attribute SHOULD be checked against its defined
|
|||
|
format. If the value of this attribute does not conform to this
|
|||
|
syntax, then this SHOULD be considered an error and the policy rule
|
|||
|
SHOULD be treated as being disabled.
|
|||
|
|
|||
|
The pcimTPCDayOfWeekMask attribute defines a mask identifying the
|
|||
|
days of the week on which a policy rule is valid. The format is a
|
|||
|
bit string of length 7, representing the days of the week from Sunday
|
|||
|
through Saturday. The definition of this attribute is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.28
|
|||
|
NAME 'pcimTPCDayOfWeekMask'
|
|||
|
DESC 'This identifies the valid days of the week for a
|
|||
|
policy rule using a 7-bit string. This represents
|
|||
|
the days of the week from Sunday through Saturday.'
|
|||
|
EQUALITY bitStringMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The value of this attribute SHOULD be checked against its defined
|
|||
|
format. If the value of this attribute does not conform to this
|
|||
|
syntax, then this SHOULD be considered an error and the policy rule
|
|||
|
SHOULD be treated as being disabled.
|
|||
|
|
|||
|
The pcimTPCTimeOfDayMask attribute defines the range of times at
|
|||
|
which a policy rule is valid. If the second time is earlier than the
|
|||
|
first, then the interval spans midnight. The format of the string is
|
|||
|
Thhmmss/Thhmmss. The definition of this attribute is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.29
|
|||
|
NAME 'pcimTPCTimeOfDayMask'
|
|||
|
DESC 'This identifies the valid range of times for a policy
|
|||
|
using the format Thhmmss/Thhmmss.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
The value of this attribute SHOULD be checked against its defined
|
|||
|
format. If the value of this attribute does not conform to this
|
|||
|
syntax, then this SHOULD be considered an error and the policy rule
|
|||
|
SHOULD be treated as being disabled.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 39]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
Finally, the pcimTPCLocalOrUtcTime attribute is used to choose
|
|||
|
between local or UTC time representation. This is mapped as a simple
|
|||
|
integer syntax, with the value of 1 representing local time and the
|
|||
|
value of 2 representing UTC time. The definition of this attribute
|
|||
|
is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.30
|
|||
|
NAME 'pcimTPCLocalOrUtcTime'
|
|||
|
DESC 'This defines whether the times in this instance
|
|||
|
represent local (value=1) times or UTC (value=2)
|
|||
|
times.'
|
|||
|
EQUALITY integerMatch
|
|||
|
ORDERING integerOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
Note: if the value of the pcimTPCLocalOrUtcTime is not 1 or 2, then
|
|||
|
this SHOULD be considered an error and the policy rule SHOULD be
|
|||
|
disabled. If the attribute is not present at all, then all times are
|
|||
|
interpreted as if it were present with the value 2, that is, UTC
|
|||
|
time.
|
|||
|
|
|||
|
5.9. The Auxiliary Class pcimConditionVendorAuxClass
|
|||
|
|
|||
|
This class provides a general extension mechanism for representing
|
|||
|
policy conditions that have not been modeled with specific
|
|||
|
properties. Instead, its two properties are used to define the
|
|||
|
content and format of the condition, as explained below. This class
|
|||
|
is intended for vendor-specific extensions that are not amenable to
|
|||
|
using pcimCondition; standardized extensions SHOULD NOT use this
|
|||
|
class.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.13 NAME 'pcimConditionVendorAuxClass'
|
|||
|
DESC 'A class that defines a registered means to describe a
|
|||
|
policy condition.'
|
|||
|
SUP pcimConditionAuxClass
|
|||
|
AUXILIARY
|
|||
|
MAY ( pcimVendorConstraintData $
|
|||
|
pcimVendorConstraintEncoding )
|
|||
|
)
|
|||
|
|
|||
|
The pcimVendorConstraintData attribute is a multi-valued attribute.
|
|||
|
It provides a general mechanism for representing policy conditions
|
|||
|
that have not been modeled as specific attributes. This information
|
|||
|
is encoded in a set of octet strings. The format of the octet
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 40]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
strings is identified by the OID stored in the
|
|||
|
pcimVendorConstraintEncoding attribute. This attribute is defined as
|
|||
|
follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.31
|
|||
|
NAME 'pcimVendorConstraintData'
|
|||
|
DESC 'Mechanism for representing constraints that have not
|
|||
|
been modeled as specific attributes. Their format is
|
|||
|
identified by the OID stored in the attribute
|
|||
|
pcimVendorConstraintEncoding.'
|
|||
|
EQUALITY octetStringMatch
|
|||
|
ORDERING octetStringOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|||
|
)
|
|||
|
|
|||
|
The pcimVendorConstraintEncoding attribute is used to identify the
|
|||
|
format and semantics for the pcimVendorConstraintData attribute.
|
|||
|
This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.32
|
|||
|
NAME 'pcimVendorConstraintEncoding'
|
|||
|
DESC 'An OID identifying the format and semantics for the
|
|||
|
pcimVendorConstraintData for this instance.'
|
|||
|
EQUALITY objectIdentifierMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
5.10. The Auxiliary Class pcimActionAuxClass
|
|||
|
|
|||
|
The purpose of a policy action is to execute one or more operations
|
|||
|
that will affect network traffic and/or systems, devices, etc. in
|
|||
|
order to achieve a desired policy state. This class is used to
|
|||
|
represent an action to be performed as a result of a policy rule
|
|||
|
whose condition clause was satisfied.
|
|||
|
|
|||
|
Subclasses of this auxiliary class can be attached to instances of
|
|||
|
three other classes in the PCLS. When a subclass of this class is
|
|||
|
attached to an instance of pcimRuleActionAssociation, or to an
|
|||
|
instance of pcimRule, it represents a rule-specific policy action.
|
|||
|
When a subclass of this class is attached to an instance of
|
|||
|
pcimPolicyInstance, it represents a reusable policy action.
|
|||
|
|
|||
|
Since all of the classes to which subclasses of this auxiliary class
|
|||
|
may be attached are derived from the pcimPolicy class, the attributes
|
|||
|
of the pcimPolicy class will already be defined for the entries to
|
|||
|
which these subclasses attach. Thus, this class is derived directly
|
|||
|
from "top".
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 41]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.14 NAME 'pcimActionAuxClass'
|
|||
|
DESC 'A class representing an action to be performed as a
|
|||
|
result of a policy rule.'
|
|||
|
SUP top
|
|||
|
AUXILIARY
|
|||
|
)
|
|||
|
|
|||
|
5.11. The Auxiliary Class pcimActionVendorAuxClass
|
|||
|
|
|||
|
The purpose of this class is to provide a general extension mechanism
|
|||
|
for representing policy actions that have not been modeled with
|
|||
|
specific properties. Instead, its two properties are used to define
|
|||
|
the content and format of the action, as explained below.
|
|||
|
|
|||
|
As its name suggests, this class is intended for vendor-specific
|
|||
|
extensions that are not amenable to using the standard pcimAction
|
|||
|
class. Standardized extensions SHOULD NOT use this class.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.15 NAME 'pcimActionVendorAuxClass'
|
|||
|
DESC 'A class that defines a registered means to describe a
|
|||
|
policy action.'
|
|||
|
SUP pcimActionAuxClass
|
|||
|
AUXILIARY
|
|||
|
MAY ( pcimVendorActionData $ pcimVendorActionEncoding )
|
|||
|
)
|
|||
|
|
|||
|
The pcimVendorActionData attribute is a multi-valued attribute. It
|
|||
|
provides a general mechanism for representing policy actions that
|
|||
|
have not been modeled as specific attributes. This information is
|
|||
|
encoded in a set of octet strings. The format of the octet strings
|
|||
|
is identified by the OID stored in the pcimVendorActionEncoding
|
|||
|
attribute. This attribute is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.33
|
|||
|
NAME 'pcimVendorActionData'
|
|||
|
DESC ' Mechanism for representing policy actions that have
|
|||
|
not been modeled as specific attributes. Their
|
|||
|
format is identified by the OID stored in the
|
|||
|
attribute pcimVendorActionEncoding.'
|
|||
|
EQUALITY octetStringMatch
|
|||
|
ORDERING octetStringOrderingMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 42]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The pcimVendorActionEncoding attribute is used to identify the format
|
|||
|
and semantics for the pcimVendorActionData attribute. This attribute
|
|||
|
is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.34
|
|||
|
NAME 'pcimVendorActionEncoding'
|
|||
|
DESC 'An OID identifying the format and semantics for the
|
|||
|
pcimVendorActionData attribute of this instance.'
|
|||
|
EQUALITY objectIdentifierMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
5.12. The Class pcimPolicyInstance
|
|||
|
|
|||
|
This class is not defined in the PCIM. Its role is to serve as a
|
|||
|
structural class to which auxiliary classes representing policy
|
|||
|
information are attached when the information is reusable. For
|
|||
|
auxiliary classes representing policy conditions and policy actions,
|
|||
|
there are alternative structural classes that may be used. See
|
|||
|
Section 4.4 for a complete discussion of reusable policy conditions
|
|||
|
and actions, and of the role that this class plays in how they are
|
|||
|
represented.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.16 NAME 'pcimPolicyInstance'
|
|||
|
DESC 'A structural class to which aux classes containing
|
|||
|
reusable policy information can be attached.'
|
|||
|
SUP pcimPolicy
|
|||
|
MAY ( pcimPolicyInstanceName )
|
|||
|
)
|
|||
|
|
|||
|
The pcimPolicyInstanceName attribute is used to define a
|
|||
|
user-friendly name of this class, and may be used as a naming
|
|||
|
attribute if desired. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.35 NAME 'pcimPolicyInstanceName'
|
|||
|
DESC 'The user-friendly name of this policy instance.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 43]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
A DIT content rule could be written to enable an instance of
|
|||
|
pcimPolicyInstance to have attached to it either instances of one or
|
|||
|
more of the auxiliary object classes pcimConditionAuxClass and
|
|||
|
pcimActionAuxClass. Since these semantics do not include specifying
|
|||
|
any properties, the content rule would not need to specify any
|
|||
|
attributes. Note that other content rules could be defined to enable
|
|||
|
other policy-related auxiliary classes to be attached to
|
|||
|
pcimPolicyInstance.
|
|||
|
|
|||
|
Similarly, three separate DIT structure rules could be written. Each
|
|||
|
of these DIT structure rules would refer to a specific name form that
|
|||
|
defined two important semantics. First, each name form would
|
|||
|
identify one of the three possible naming attributes (i.e.,
|
|||
|
pcimPolicyInstanceName, cn, and orderedCIMKeys) for this object
|
|||
|
class. Second, each name form would require that an instance of the
|
|||
|
pcimPolicyInstance class have as its superior an instance of the
|
|||
|
pcimRepository class. This structure rule SHOULD also include a
|
|||
|
superiorStructureRule (see Note 2 at the beginning of section 5).
|
|||
|
|
|||
|
5.13. The Auxiliary Class pcimElementAuxClass
|
|||
|
|
|||
|
This class introduces no additional attributes, beyond those defined
|
|||
|
in the class pcimPolicy from which it is derived. Its role is to
|
|||
|
"tag" an instance of a class defined outside the realm of policy
|
|||
|
information as represented by PCIM as being nevertheless relevant to
|
|||
|
a policy specification. This tagging can potentially take place at
|
|||
|
two levels:
|
|||
|
|
|||
|
- Every instance to which pcimElementAuxClass is attached becomes
|
|||
|
an instance of the class pcimPolicy, since pcimElementAuxClass is
|
|||
|
a subclass of pcimPolicy. Searching for object
|
|||
|
class="pcimPolicy" will return the instance. (As noted earlier,
|
|||
|
this approach does NOT work for some directory implementations.
|
|||
|
To accommodate these implementations, policy-related entries
|
|||
|
SHOULD be tagged with the pcimKeyword "POLICY".)
|
|||
|
|
|||
|
- With the pcimKeywords attribute that it inherits from pcimPolicy,
|
|||
|
an instance to which pcimElementAuxClass is attached can be
|
|||
|
tagged as being relevant to a particular type or category of
|
|||
|
policy information, using standard keywords,
|
|||
|
administrator-defined keywords, or both.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.17 NAME 'pcimElementAuxClass'
|
|||
|
DESC 'An auxiliary class used to tag instances of classes
|
|||
|
defined outside the realm of policy as relevant to a
|
|||
|
particular policy specification.'
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 44]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
SUP pcimPolicy
|
|||
|
AUXILIARY
|
|||
|
)
|
|||
|
|
|||
|
5.14. The Three Policy Repository Classes
|
|||
|
|
|||
|
These classes provide a container for reusable policy information,
|
|||
|
such as reusable policy conditions and/or reusable policy actions.
|
|||
|
This document is concerned with mapping just the properties that
|
|||
|
appear in these classes. Conceptually, this may be thought of as a
|
|||
|
special location in the DIT where policy information may reside.
|
|||
|
Since pcimRepository is derived from the class dlm1AdminDomain
|
|||
|
defined in reference [6], this specification has a normative
|
|||
|
dependency on that element of reference [6] (as well as on its entire
|
|||
|
derivation hierarchy, which also appears in reference [6]). To
|
|||
|
maximize flexibility, the pcimRepository class is defined as
|
|||
|
abstract. A subclass pcimRepositoryAuxClass provides for auxiliary
|
|||
|
attachment to another entry, while a structural subclass
|
|||
|
pcimRepositoryInstance is available to represent a policy repository
|
|||
|
as a standalone entry.
|
|||
|
|
|||
|
The definition for the pcimRepository class is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.18 NAME 'pcimRepository'
|
|||
|
DESC 'A container for reusable policy information.'
|
|||
|
SUP dlm1AdminDomain
|
|||
|
ABSTRACT
|
|||
|
MAY ( pcimRepositoryName )
|
|||
|
)
|
|||
|
|
|||
|
The pcimRepositoryName attribute is used to define a user-friendly
|
|||
|
name of this class, and may be used as a naming attribute if desired.
|
|||
|
It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.36 NAME 'pcimRepositoryName'
|
|||
|
DESC 'The user-friendly name of this policy repository.'
|
|||
|
EQUALITY caseIgnoreMatch
|
|||
|
ORDERING caseIgnoreOrderingMatch
|
|||
|
SUBSTR caseIgnoreSubstringsMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
|||
|
SINGLE-VALUE
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 45]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The two subclasses of pcimRepository are defined as follows. First,
|
|||
|
the pcimRepositoryAuxClass is an auxiliary class that can be used to
|
|||
|
aggregate reusable policy information. It is defined as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.19 NAME 'pcimRepositoryAuxClass'
|
|||
|
DESC 'An auxiliary class that can be used to aggregate
|
|||
|
reusable policy information.'
|
|||
|
SUP pcimRepository
|
|||
|
AUXILIARY
|
|||
|
)
|
|||
|
|
|||
|
In cases where structural classes are needed instead of an auxiliary
|
|||
|
class, the pcimRepositoryInstance class is a structural class that
|
|||
|
can be used to aggregate reusable policy information. It is defined
|
|||
|
as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.20 NAME 'pcimRepositoryInstance'
|
|||
|
DESC 'A structural class that can be used to aggregate
|
|||
|
reusable policy information.'
|
|||
|
SUP pcimRepository
|
|||
|
STRUCTURAL
|
|||
|
)
|
|||
|
|
|||
|
Three separate DIT structure rules could be written for this class.
|
|||
|
Each of these DIT structure rules would refer to a specific name form
|
|||
|
that enabled an instance of the pcimRepository class to be named
|
|||
|
under any superior using one of the three possible naming attributes
|
|||
|
(i.e., pcimRepositoryName, cn, and orderedCIMKeys). This structure
|
|||
|
rule SHOULD also include a superiorStructureRule (see Note 2 at the
|
|||
|
beginning of section 5).
|
|||
|
|
|||
|
5.15. The Auxiliary Class pcimSubtreesPtrAuxClass
|
|||
|
|
|||
|
This auxiliary class provides a single, multi-valued attribute that
|
|||
|
references a set of objects that are at the root of DIT subtrees
|
|||
|
containing policy-related information. By attaching this attribute
|
|||
|
to instances of various other classes, a policy administrator has a
|
|||
|
flexible way of providing an entry point into the directory that
|
|||
|
allows a client to locate and retrieve the policy information
|
|||
|
relevant to it.
|
|||
|
|
|||
|
It is intended that these entries are placed in the DIT such that
|
|||
|
well-known DNs can be used to reference a well-known structural entry
|
|||
|
that has the pcimSubtreesPtrAuxClass attached to it. In effect, this
|
|||
|
defines a set of entry points. Each of these entry points can
|
|||
|
contain and/or reference all related policy entries for
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 46]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
any well-known policy domains. The pcimSubtreesPtrAuxClass functions
|
|||
|
as a tag to identify portions of the DIT that contain policy
|
|||
|
information.
|
|||
|
|
|||
|
This object does not provide the semantic linkages between individual
|
|||
|
policy objects, such as those between a policy group and the policy
|
|||
|
rules that belong to it. Its only role is to enable efficient bulk
|
|||
|
retrieval of policy-related objects, as described in Section 4.5.
|
|||
|
|
|||
|
Once the objects have been retrieved, a directory client can
|
|||
|
determine the semantic linkages by following references contained in
|
|||
|
multi-valued attributes, such as pcimRulesAuxContainedSet.
|
|||
|
|
|||
|
Since policy-related objects will often be included in the DIT
|
|||
|
subtree beneath an object to which this auxiliary class is attached,
|
|||
|
a client SHOULD request the policy-related objects from the subtree
|
|||
|
under the object with these references at the same time that it
|
|||
|
requests the references themselves.
|
|||
|
|
|||
|
Since clients are expected to behave in this way, the policy
|
|||
|
administrator SHOULD make sure that this subtree does not contain so
|
|||
|
many objects unrelated to policy that an initial search done in this
|
|||
|
way results in a performance problem. The pcimSubtreesPtrAuxClass
|
|||
|
SHOULD NOT be attached to the partition root for a large directory
|
|||
|
partition containing a relatively few number of policy-related
|
|||
|
objects along with a large number of objects unrelated to policy
|
|||
|
(again, "policy" here refers to the PCIM, not the X.501, definition
|
|||
|
and use of "policy"). A better approach would be to introduce a
|
|||
|
container object immediately below the partition root, attach
|
|||
|
pcimSubtreesPtrAuxClass to this container object, and then place all
|
|||
|
of the policy-related objects in that subtree.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.21 NAME 'pcimSubtreesPtrAuxClass'
|
|||
|
DESC 'An auxiliary class providing DN references to roots of
|
|||
|
DIT subtrees containing policy-related objects.'
|
|||
|
SUP top
|
|||
|
AUXILIARY
|
|||
|
MAY ( pcimSubtreesAuxContainedSet )
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 47]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The attribute pcimSubtreesAuxContainedSet provides an unordered set
|
|||
|
of DN references to instances of one or more objects under which
|
|||
|
policy-related information is present. The objects referenced may or
|
|||
|
may not themselves contain policy-related information. The attribute
|
|||
|
definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.37
|
|||
|
NAME 'pcimSubtreesAuxContainedSet'
|
|||
|
DESC 'DNs of objects that serve as roots for DIT subtrees
|
|||
|
containing policy-related objects.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
)
|
|||
|
|
|||
|
Note that the cn attribute does NOT need to be defined for this
|
|||
|
class. This is because an auxiliary class is used as a means to
|
|||
|
collect common attributes and treat them as properties of an object.
|
|||
|
A good analogy is a #include file, except that since an auxiliary
|
|||
|
class is a class, all the benefits of a class (e.g., inheritance) can
|
|||
|
be applied to an auxiliary class.
|
|||
|
|
|||
|
5.16. The Auxiliary Class pcimGroupContainmentAuxClass
|
|||
|
|
|||
|
This auxiliary class provides a single, multi-valued attribute that
|
|||
|
references a set of pcimGroups. By attaching this attribute to
|
|||
|
instances of various other classes, a policy administrator has a
|
|||
|
flexible way of providing an entry point into the directory that
|
|||
|
allows a client to locate and retrieve the pcimGroups relevant to it.
|
|||
|
|
|||
|
As is the case with pcimRules, a policy administrator might have
|
|||
|
several different references to a pcimGroup in the overall directory
|
|||
|
structure. The pcimGroupContainmentAuxClass is the mechanism that
|
|||
|
makes it possible for the policy administrator to define all these
|
|||
|
different references.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.22 NAME 'pcimGroupContainmentAuxClass'
|
|||
|
DESC 'An auxiliary class used to bind pcimGroups to an
|
|||
|
appropriate container object.'
|
|||
|
SUP top
|
|||
|
AUXILIARY
|
|||
|
MAY ( pcimGroupsAuxContainedSet )
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 48]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The attribute pcimGroupsAuxContainedSet provides an unordered set of
|
|||
|
references to instances of one or more pcimGroups associated with the
|
|||
|
instance of a structural class to which this attribute has been
|
|||
|
appended.
|
|||
|
|
|||
|
The attribute definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.38
|
|||
|
NAME 'pcimGroupsAuxContainedSet'
|
|||
|
DESC 'DNs of pcimGroups associated in some way with the
|
|||
|
instance to which this attribute has been appended.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
)
|
|||
|
|
|||
|
Note that the cn attribute does NOT have to be defined for this class
|
|||
|
for the same reasons as those given for the pcimSubtreesPtrAuxClass
|
|||
|
in section 5.15.
|
|||
|
|
|||
|
5.17. The Auxiliary Class pcimRuleContainmentAuxClass
|
|||
|
|
|||
|
This auxiliary class provides a single, multi-valued attribute that
|
|||
|
references a set of pcimRules. By attaching this attribute to
|
|||
|
instances of various other classes, a policy administrator has a
|
|||
|
flexible way of providing an entry point into the directory that
|
|||
|
allows a client to locate and retrieve the pcimRules relevant to it.
|
|||
|
|
|||
|
A policy administrator might have several different references to a
|
|||
|
pcimRule in the overall directory structure. For example, there
|
|||
|
might be references to all pcimRules for traffic originating in a
|
|||
|
particular subnet from a directory entry that represents that subnet.
|
|||
|
At the same time, there might be references to all pcimRules related
|
|||
|
to a particular DiffServ setting from an instance of a pcimGroup
|
|||
|
explicitly introduced as a container for DiffServ-related pcimRules.
|
|||
|
The pcimRuleContainmentAuxClass is the mechanism that makes it
|
|||
|
possible for the policy administrator to define all these separate
|
|||
|
references.
|
|||
|
|
|||
|
The class definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.1.23 NAME 'pcimRuleContainmentAuxClass'
|
|||
|
DESC 'An auxiliary class used to bind pcimRules to an
|
|||
|
appropriate container object.'
|
|||
|
SUP top
|
|||
|
AUXILIARY
|
|||
|
MAY ( pcimRulesAuxContainedSet )
|
|||
|
)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 49]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The attribute pcimRulesAuxContainedSet provides an unordered set of
|
|||
|
references to one or more instances of pcimRules associated with the
|
|||
|
instance of a structural class to which this attribute has been
|
|||
|
appended. The attribute definition is as follows:
|
|||
|
|
|||
|
( 1.3.6.1.1.6.2.39
|
|||
|
NAME 'pcimRulesAuxContainedSet'
|
|||
|
DESC 'DNs of pcimRules associated in some way with the
|
|||
|
instance to which this attribute has been appended.'
|
|||
|
EQUALITY distinguishedNameMatch
|
|||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|||
|
)
|
|||
|
|
|||
|
The cn attribute does NOT have to be defined for this class for the
|
|||
|
same reasons as those given for the pcimSubtreesPtrAuxClass in
|
|||
|
section 5.15.
|
|||
|
|
|||
|
6. Extending the Classes Defined in This Document
|
|||
|
|
|||
|
The following subsections provide general guidance on how to create a
|
|||
|
domain-specific schema derived from this document, discuss how the
|
|||
|
vendor classes in the PCLS should be used, and explain how
|
|||
|
policyTimePeriodConditions are related to other policy conditions.
|
|||
|
|
|||
|
6.1. Subclassing pcimConditionAuxClass and pcimActionAuxClass
|
|||
|
|
|||
|
In Section 4.4, there is a discussion of how, by representing policy
|
|||
|
conditions and policy actions as auxiliary classes in a schema, the
|
|||
|
flexibility is retained to instantiate a particular condition or
|
|||
|
action as either rule-specific or reusable. This flexibility is lost
|
|||
|
if a condition or action class is defined as structural rather than
|
|||
|
auxiliary. For standardized schemata, this document specifies that
|
|||
|
domain-specific information MUST be expressed in auxiliary subclasses
|
|||
|
of pcimConditionAuxClass and pcimActionAuxClass. It is RECOMMENDED
|
|||
|
that non-standardized schemata follow this practice as well.
|
|||
|
|
|||
|
6.2. Using the Vendor Policy Attributes
|
|||
|
|
|||
|
As discussed Section 5.9, the attributes pcimVendorConstraintData and
|
|||
|
pcimVendorConstraintEncoding are included in the
|
|||
|
pcimConditionVendorAuxClass to provide a mechanism for representing
|
|||
|
vendor-specific policy conditions that are not amenable to being
|
|||
|
represented with the pcimCondition class (or its subclasses). The
|
|||
|
attributes pcimVendorActionData and pcimVendorActionEncoding in the
|
|||
|
pcimActionVendorAuxClass class play the same role with respect to
|
|||
|
actions. This enables interoperability between different vendors who
|
|||
|
could not otherwise interoperate.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 50]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
For example, imagine a network composed of access devices from vendor
|
|||
|
A, edge and core devices from vendor B, and a policy server from
|
|||
|
vendor C. It is desirable for this policy server to be able to
|
|||
|
configure and manage all of the devices from vendors A and B.
|
|||
|
Unfortunately, these devices will in general have little in common
|
|||
|
(e.g., different mechanisms, different ways for controlling those
|
|||
|
mechanisms, different operating systems, different commands, and so
|
|||
|
forth). The extension conditions provide a way for vendor-specific
|
|||
|
commands to be encoded as octet strings, so that a single policy
|
|||
|
server can commonly manage devices from different vendors.
|
|||
|
|
|||
|
6.3. Using Time Validity Periods
|
|||
|
|
|||
|
Time validity periods are defined as an auxiliary subclass of
|
|||
|
pcimConditionAuxClass, called pcimTPCAuxClass. This is to allow
|
|||
|
their inclusion in the AND/OR condition definitions for a pcimRule.
|
|||
|
Care should be taken not to subclass pcimTPCAuxClass to add
|
|||
|
domain-specific condition properties.
|
|||
|
|
|||
|
For example, it would be incorrect to add IPsec- or QoS-specific
|
|||
|
condition properties to the pcimTPCAuxClass class, just because IPsec
|
|||
|
or QoS includes time in its condition definition. The correct
|
|||
|
subclassing would be to create IPsec or QoS-specific subclasses of
|
|||
|
pcimConditionAuxClass and then combine instances of these
|
|||
|
domain-specific condition classes with the appropriate validity
|
|||
|
period criteria. This is accomplished using the AND/OR association
|
|||
|
capabilities for policy conditions in pcimRules.
|
|||
|
|
|||
|
7. Security Considerations
|
|||
|
|
|||
|
The PCLS, presented in this document, provides a mapping of the
|
|||
|
object-oriented model for describing policy information (PCIM) into a
|
|||
|
data model that forms the basic framework for describing the
|
|||
|
structure of policy data, in the case where the policy repository
|
|||
|
takes the form of an LDAP-accessible directory.
|
|||
|
|
|||
|
PCLS is not intended to represent any particular system design or
|
|||
|
implementation. PCLS is not directly useable in a real world system,
|
|||
|
without the discipline-specific mappings that are works in progress
|
|||
|
in the Policy Framework Working Group of the IETF.
|
|||
|
|
|||
|
These other derivative documents, which use PCIM and its
|
|||
|
discipline-specific extensions as a base, will need to convey more
|
|||
|
specific security considerations (refer to RFC 3060 for more
|
|||
|
information.)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 51]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
The reason that PCLS, as defined here, is not representative of any
|
|||
|
real-world system, is that its object classes were designed to be
|
|||
|
independent of any specific discipline, or policy domain. For
|
|||
|
example, DiffServ and IPsec represent two different policy domains.
|
|||
|
Each document that extends PCIM to one of these domains will derive
|
|||
|
subclasses from the classes and relationships defined in PCIM, in
|
|||
|
order to represent extensions of a generic model to cover specific
|
|||
|
technical domains.
|
|||
|
|
|||
|
PCIM-derived documents will thus subclass the PCIM classes into
|
|||
|
classes specific to each technical policy domain (QOS, IPsec, etc.),
|
|||
|
which will, in turn, be mapped, to directory-specific schemata
|
|||
|
consistent with the PCLS documented here.
|
|||
|
|
|||
|
Even though discipline-specific security requirements are not
|
|||
|
appropriate for PCLS, specific security requirements MUST be defined
|
|||
|
for each operational real-world application of PCIM. Just as there
|
|||
|
will be a wide range of operational, real-world systems using PCIM,
|
|||
|
there will also be a wide range of security requirements for these
|
|||
|
systems. Some operational, real-world systems that are deployed
|
|||
|
using PCLS may have extensive security requirements that impact
|
|||
|
nearly all object classes utilized by such a system, while other
|
|||
|
systems' security requirements might have very little impact.
|
|||
|
|
|||
|
The derivative documents, discussed above, will create the context
|
|||
|
for applying operational, real-world, system-level security
|
|||
|
requirements against the various models that derive from PCIM,
|
|||
|
consistent with PCLS.
|
|||
|
|
|||
|
In some real-world scenarios, the values associated with certain
|
|||
|
properties, within certain instantiated object classes, may represent
|
|||
|
information associated with scarce, and/or costly (and therefore
|
|||
|
valuable) resources. It may be the case that these values must not
|
|||
|
be disclosed to, or manipulated by, unauthorized parties.
|
|||
|
|
|||
|
Since this document forms the basis for the representation of a
|
|||
|
policy data model in a specific format (an LDAP-accessible
|
|||
|
directory), it is herein appropriate to reference the data
|
|||
|
model-specific tools and mechanisms that are available for achieving
|
|||
|
the authentication and authorization implicit in a requirement that
|
|||
|
restricts read and/or read- write access to these values stored in a
|
|||
|
directory.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 52]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
General LDAP security considerations apply, as documented in RFC 3377
|
|||
|
[2]. LDAP-specific authentication and authorization tools and
|
|||
|
mechanisms are found in the following standards track documents,
|
|||
|
which are appropriate for application to the management of security
|
|||
|
applied to policy data models stored in an LDAP-accessible directory:
|
|||
|
|
|||
|
- RFC 2829 (Authentication Methods for LDAP)
|
|||
|
- RFC 2830 (Lightweight Directory Access Protocol (v3): Extension
|
|||
|
for Transport Layer Security)
|
|||
|
|
|||
|
Any identified security requirements that are not dealt with in the
|
|||
|
appropriate discipline-specific information model documents, or in
|
|||
|
this document, MUST be dealt with in the derivative data model
|
|||
|
documents which are specific to each discipline.
|
|||
|
|
|||
|
8. IANA Considerations
|
|||
|
|
|||
|
Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA)
|
|||
|
Considerations for the Lightweight Directory Access Protocol (LDAP)"
|
|||
|
[16].
|
|||
|
|
|||
|
8.1. Object Identifiers
|
|||
|
|
|||
|
The IANA has registered an LDAP Object Identifier for use in this
|
|||
|
technical specification according to the following template:
|
|||
|
|
|||
|
Subject: Request for LDAP OID Registration
|
|||
|
Person & email address to contact for further information:
|
|||
|
Bob Moore (remoore@us.ibm.com)
|
|||
|
Specification: RFC 3703
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments:
|
|||
|
The assigned OID will be used as a base for identifying
|
|||
|
a number of schema elements defined in this document.
|
|||
|
|
|||
|
IANA has assigned an OID of 1.3.6.1.1.6 with the name of pcimSchema
|
|||
|
to this registration as recorded in the following registry:
|
|||
|
|
|||
|
http://www.iana.org/assignments/smi-numbers
|
|||
|
|
|||
|
8.2. Object Identifier Descriptors
|
|||
|
|
|||
|
The IANA has registered the LDAP Descriptors used in this technical
|
|||
|
specification as detailed in the following template:
|
|||
|
|
|||
|
Subject: Request for LDAP Descriptor Registration Update
|
|||
|
Descriptor (short name): see comment
|
|||
|
Object Identifier: see comment
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 53]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
Person & email address to contact for further information:
|
|||
|
Bob Moore (remoore@us.ibm.com)
|
|||
|
Usage: see comment
|
|||
|
Specification: RFC 3703
|
|||
|
Author/Change Controller: IESG
|
|||
|
Comments:
|
|||
|
|
|||
|
The following descriptors have been added:
|
|||
|
|
|||
|
NAME Type OID
|
|||
|
-------------- ---- ------------
|
|||
|
pcimPolicy O 1.3.6.1.1.6.1.1
|
|||
|
pcimGroup O 1.3.6.1.1.6.1.2
|
|||
|
pcimGroupAuxClass O 1.3.6.1.1.6.1.3
|
|||
|
pcimGroupInstance O 1.3.6.1.1.6.1.4
|
|||
|
pcimRule O 1.3.6.1.1.6.1.5
|
|||
|
pcimRuleAuxClass O 1.3.6.1.1.6.1.6
|
|||
|
pcimRuleInstance O 1.3.6.1.1.6.1.7
|
|||
|
pcimRuleConditionAssociation O 1.3.6.1.1.6.1.8
|
|||
|
pcimRuleValidityAssociation O 1.3.6.1.1.6.1.9
|
|||
|
pcimRuleActionAssociation O 1.3.6.1.1.6.1.10
|
|||
|
pcimConditionAuxClass O 1.3.6.1.1.6.1.11
|
|||
|
pcimTPCAuxClass O 1.3.6.1.1.6.1.12
|
|||
|
pcimConditionVendorAuxClass O 1.3.6.1.1.6.1.13
|
|||
|
pcimActionAuxClass O 1.3.6.1.1.6.1.14
|
|||
|
pcimActionVendorAuxClass O 1.3.6.1.1.6.1.15
|
|||
|
pcimPolicyInstance O 1.3.6.1.1.6.1.16
|
|||
|
pcimElementAuxClass O 1.3.6.1.1.6.1.17
|
|||
|
pcimRepository O 1.3.6.1.1.6.1.18
|
|||
|
pcimRepositoryAuxClass O 1.3.6.1.1.6.1.19
|
|||
|
pcimRepositoryInstance O 1.3.6.1.1.6.1.20
|
|||
|
pcimSubtreesPtrAuxClass O 1.3.6.1.1.6.1.21
|
|||
|
pcimGroupContainmentAuxClass O 1.3.6.1.1.6.1.22
|
|||
|
pcimRuleContainmentAuxClass O 1.3.6.1.1.6.1.23
|
|||
|
pcimKeywords A 1.3.6.1.1.6.2.3
|
|||
|
pcimGroupName A 1.3.6.1.1.6.2.4
|
|||
|
pcimRuleName A 1.3.6.1.1.6.2.5
|
|||
|
pcimRuleEnabled A 1.3.6.1.1.6.2.6
|
|||
|
pcimRuleConditionListType A 1.3.6.1.1.6.2.7
|
|||
|
pcimRuleConditionList A 1.3.6.1.1.6.2.8
|
|||
|
pcimRuleActionList A 1.3.6.1.1.6.2.9
|
|||
|
pcimRuleValidityPeriodList A 1.3.6.1.1.6.2.10
|
|||
|
pcimRuleUsage A 1.3.6.1.1.6.2.11
|
|||
|
pcimRulePriority A 1.3.6.1.1.6.2.12
|
|||
|
pcimRuleMandatory A 1.3.6.1.1.6.2.13
|
|||
|
pcimRuleSequencedActions A 1.3.6.1.1.6.2.14
|
|||
|
pcimRoles A 1.3.6.1.1.6.2.15
|
|||
|
pcimConditionGroupNumber A 1.3.6.1.1.6.2.16
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 54]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
NAME Type OID
|
|||
|
-------------- ---- ------------
|
|||
|
pcimConditionNegated A 1.3.6.1.1.6.2.17
|
|||
|
pcimConditionName A 1.3.6.1.1.6.2.18
|
|||
|
pcimConditionDN A 1.3.6.1.1.6.2.19
|
|||
|
pcimValidityConditionName A 1.3.6.1.1.6.2.20
|
|||
|
pcimTimePeriodConditionDN A 1.3.6.1.1.6.2.21
|
|||
|
pcimActionName A 1.3.6.1.1.6.2.22
|
|||
|
pcimActionOrder A 1.3.6.1.1.6.2.23
|
|||
|
pcimActionDN A 1.3.6.1.1.6.2.24
|
|||
|
pcimTPCTime A 1.3.6.1.1.6.2.25
|
|||
|
pcimTPCMonthOfYearMask A 1.3.6.1.1.6.2.26
|
|||
|
pcimTPCDayOfMonthMask A 1.3.6.1.1.6.2.27
|
|||
|
pcimTPCDayOfWeekMask A 1.3.6.1.1.6.2.28
|
|||
|
pcimTPCTimeOfDayMask A 1.3.6.1.1.6.2.29
|
|||
|
pcimTPCLocalOrUtcTime A 1.3.6.1.1.6.2.30
|
|||
|
pcimVendorConstraintData A 1.3.6.1.1.6.2.31
|
|||
|
pcimVendorConstraintEncoding A 1.3.6.1.1.6.2.32
|
|||
|
pcimVendorActionData A 1.3.6.1.1.6.2.33
|
|||
|
pcimVendorActionEncoding A 1.3.6.1.1.6.2.34
|
|||
|
pcimPolicyInstanceName A 1.3.6.1.1.6.2.35
|
|||
|
pcimRepositoryName A 1.3.6.1.1.6.2.36
|
|||
|
pcimSubtreesAuxContainedSet A 1.3.6.1.1.6.2.37
|
|||
|
pcimGroupsAuxContainedSet A 1.3.6.1.1.6.2.38
|
|||
|
pcimRulesAuxContainedSet A 1.3.6.1.1.6.2.39
|
|||
|
|
|||
|
where Type A is Attribute, Type O is ObjectClass
|
|||
|
|
|||
|
These assignments are recorded in the following registry:
|
|||
|
|
|||
|
http://www.iana.org/assignments/ldap-parameters
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 55]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
9. Acknowledgments
|
|||
|
|
|||
|
We would like to thank Kurt Zeilenga, Roland Hedburg, and Steven Legg
|
|||
|
for doing a review of this document and making many helpful
|
|||
|
suggestions and corrections.
|
|||
|
|
|||
|
Several of the policy classes in this model first appeared in early
|
|||
|
IETF drafts on IPsec policy and QoS policy. The authors of these
|
|||
|
drafts were Partha Bhattacharya, Rob Adams, William Dixon, Roy
|
|||
|
Pereira, Raju Rajan, Jean-Christophe Martin, Sanjay Kamat, Michael
|
|||
|
See, Rajiv Chaudhury, Dinesh Verma, George Powers, and Raj Yavatkar.
|
|||
|
|
|||
|
This document is closely aligned with the work being done in the
|
|||
|
Distributed Management Task Force (DMTF) Policy and Networks working
|
|||
|
groups. We would especially like to thank Lee Rafalow, Glenn Waters,
|
|||
|
David Black, Michael Richardson, Mark Stevens, David Jones, Hugh
|
|||
|
Mahon, Yoram Snir, and Yoram Ramberg for their helpful comments.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 56]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
10. Appendix: Constructing the Value of orderedCIMKeys
|
|||
|
|
|||
|
This appendix is non-normative, and is included in this document as a
|
|||
|
guide to implementers that wish to exchange information between CIM
|
|||
|
schemata and LDAP schemata.
|
|||
|
|
|||
|
Within a CIM name space, the naming is basically flat; all instances
|
|||
|
are identified by the values of their key properties, and each
|
|||
|
combination of key values must be unique. A limited form of
|
|||
|
hierarchical naming is available in CIM, however, by using weak
|
|||
|
associations: since a weak association involves propagation of key
|
|||
|
properties and their values from the superior object to the
|
|||
|
subordinate one, the subordinate object can be thought of as being
|
|||
|
named "under" the superior object. Once they have been propagated,
|
|||
|
however, propagated key properties and their values function in
|
|||
|
exactly the same way that native key properties and their values do
|
|||
|
in identifying a CIM instance.
|
|||
|
|
|||
|
The CIM mapping document [6] introduces a special attribute,
|
|||
|
orderedCIMKeys, to help map from the CIM_ManagedElement class to the
|
|||
|
LDAP class dlm1ManagedElement. This attribute SHOULD only be used in
|
|||
|
an environment where it is necessary to map between an
|
|||
|
LDAP-accessible directory and a CIM repository. For an LDAP
|
|||
|
environment, other LDAP naming attributes are defined (i.e., cn and a
|
|||
|
class-specific naming attribute) that SHOULD be used instead.
|
|||
|
|
|||
|
The role of orderedCIMKeys is to represent the information necessary
|
|||
|
to correlate an entry in an LDAP-accessible directory with an
|
|||
|
instance in a CIM name space. Depending on how naming of CIM-related
|
|||
|
entries is handled in an LDAP directory, the value of orderedCIMKeys
|
|||
|
represents one of two things:
|
|||
|
|
|||
|
- If the DIT hierarchy does not mirror the "weakness hierarchy" of
|
|||
|
the CIM name space, then orderedCIMKeys represents all the
|
|||
|
keys of the CIM instance, both native and propagated.
|
|||
|
- If the DIT hierarchy does mirror the "weakness hierarchy" of the
|
|||
|
CIM name space, then orderedCIMKeys may represent either all the
|
|||
|
keys of the instance, or only the native keys.
|
|||
|
|
|||
|
Regardless of which of these alternatives is taken, the syntax of
|
|||
|
orderedCIMKeys is the same - a DirectoryString of the form
|
|||
|
|
|||
|
<className>.<key>=<value>[,<key>=<value>]*
|
|||
|
|
|||
|
where the <key>=<value> elements are ordered by the names of the key
|
|||
|
properties, according to the collating sequence for US ASCII. The
|
|||
|
only spaces allowed in the DirectoryString are those that fall within
|
|||
|
a <value> element. As with alphabetizing the key properties, the
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 57]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
goal of suppressing the spaces is once again to make the results of
|
|||
|
string operations predictable.
|
|||
|
|
|||
|
The values of the <value> elements are derived from the various CIM
|
|||
|
syntaxes according to a grammar specified in [5].
|
|||
|
|
|||
|
11. References
|
|||
|
|
|||
|
11.1. Normative References
|
|||
|
|
|||
|
[1] Moore, B., Ellesson,E., Strassner, J. and A. Westerinen "Policy
|
|||
|
Core Information Model -- Version 1 Specification", RFC 3060,
|
|||
|
February 2001.
|
|||
|
|
|||
|
[2] Hodges, J. and R. Morgan, "Lightweight Directory Access
|
|||
|
Protocol (v3): Technical Specification", RFC 3377, September
|
|||
|
2002.
|
|||
|
|
|||
|
[3] Wahl, M., Coulbeck, A., Howes,T. and S. Kille, "Lightweight
|
|||
|
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
|||
|
RFC 2252, December 1997.
|
|||
|
|
|||
|
[4] The Directory: Models. ITU-T Recommendation X.501, 2001.
|
|||
|
|
|||
|
[5] Distributed Management Task Force, Inc., "Common Information
|
|||
|
Model (CIM) Specification", Version 2.2, June 14, 1999. This
|
|||
|
document is available on the following DMTF web page:
|
|||
|
http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf
|
|||
|
|
|||
|
[6] Distributed Management Task Force, Inc., "DMTF LDAP Schema for
|
|||
|
the CIM v2.5 Core Information Model", April 15, 2002. This
|
|||
|
document is available on the following DMTF web page:
|
|||
|
http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf
|
|||
|
|
|||
|
[7] Wahl, M., "A Summary of the X.500(96) User Schema for use with
|
|||
|
LDAPv3", RFC 2256, December 1997.
|
|||
|
|
|||
|
[8] The Directory: Selected Attribute Types. ITU-T Recommendation
|
|||
|
X.520, 2001.
|
|||
|
|
|||
|
[9] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
|||
|
(LDAP): Additional Matching Rules", RFC 3698, February 2004.
|
|||
|
|
|||
|
[10] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
|||
|
Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 58]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
11.2. Informative References
|
|||
|
|
|||
|
[11] Hovey, R. and S. Bradner, "The Organizations Involved in the
|
|||
|
IETF Standards Process", BCP 11, RFC 2028, October 1996.
|
|||
|
|
|||
|
[12] Strassner, J., policy architecture BOF presentation, 42nd IETF
|
|||
|
Meeting, Chicago, Illinois, October 1998. Minutes of this BOF
|
|||
|
are available at the following location:
|
|||
|
http://www.ietf.org/proceedings/98aug/index.html.
|
|||
|
|
|||
|
[13] Yavatkar, R., Guerin, R. and D. Pendarakis, "A Framework for
|
|||
|
Policy-based Admission Control", RFC 2753, January 2000.
|
|||
|
|
|||
|
[14] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,
|
|||
|
"Authentication Methods for LDAP", RFC 2829, May 2000
|
|||
|
|
|||
|
[15] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory
|
|||
|
Access Protocol (v3): Extension for Transport Layer Security",
|
|||
|
RFC 2830, May 2000.
|
|||
|
|
|||
|
[16] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
|||
|
Considerations for the Lightweight Directory Access Protocol
|
|||
|
(LDAP)", BCP 64, RFC 3383, September 2002.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 59]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
12. Authors' Addresses
|
|||
|
|
|||
|
John Strassner
|
|||
|
Intelliden Corporation
|
|||
|
90 South Cascade Avenue
|
|||
|
Colorado Springs, CO 80903
|
|||
|
|
|||
|
Phone: +1.719.785.0648
|
|||
|
Fax: +1.719.785.0644
|
|||
|
EMail: john.strassner@intelliden.com
|
|||
|
|
|||
|
|
|||
|
Bob Moore
|
|||
|
IBM Corporation
|
|||
|
P. O. Box 12195, BRQA/B501/G206
|
|||
|
3039 Cornwallis Rd.
|
|||
|
Research Triangle Park, NC 27709-2195
|
|||
|
|
|||
|
Phone: +1 919-254-4436
|
|||
|
Fax: +1 919-254-6243
|
|||
|
EMail: remoore@us.ibm.com
|
|||
|
|
|||
|
|
|||
|
Ryan Moats
|
|||
|
Lemur Networks, Inc.
|
|||
|
15621 Drexel Circle
|
|||
|
Omaha, NE 68135
|
|||
|
|
|||
|
Phone: +1-402-894-9456
|
|||
|
EMail: rmoats@lemurnetworks.net
|
|||
|
|
|||
|
|
|||
|
Ed Ellesson
|
|||
|
3026 Carriage Trail
|
|||
|
Hillsborough, NC 27278
|
|||
|
|
|||
|
Phone: +1 919-644-3977
|
|||
|
EMail: ellesson@mindspring.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 60]
|
|||
|
|
|||
|
RFC 3703 Policy Core LDAP Schema February 2004
|
|||
|
|
|||
|
|
|||
|
13. Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2004). This document is subject
|
|||
|
to the rights, licenses and restrictions contained in BCP 78 and
|
|||
|
except as set forth therein, the authors retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
|
|||
|
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
|
|||
|
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
|
|||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
|||
|
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed
|
|||
|
to pertain to the implementation or use of the technology
|
|||
|
described in this document or the extent to which any license
|
|||
|
under such rights might or might not be available; nor does it
|
|||
|
represent that it has made any independent effort to identify any
|
|||
|
such rights. Information on the procedures with respect to
|
|||
|
rights in RFC documents can be found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use
|
|||
|
of such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository
|
|||
|
at http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention
|
|||
|
any copyrights, patents or patent applications, or other
|
|||
|
proprietary rights that may cover technology that may be required
|
|||
|
to implement this standard. Please address the information to the
|
|||
|
IETF at ietf-ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Strassner, et al. Standards Track [Page 61]
|
|||
|
|