2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
INTERNET-DRAFT S. Legg
|
2003-06-01 06:47:07 +08:00
|
|
|
|
draft-legg-ldap-acm-admin-02.txt Adacel Technologies
|
|
|
|
|
Intended Category: Standards Track February 25, 2003
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access Control Administration in LDAP
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Copyright (C) The Internet Society (2003). All Rights Reserved.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
Status of this Memo
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This document is an Internet-Draft and is in full conformance with
|
|
|
|
|
all provisions of Section 10 of RFC2026.
|
|
|
|
|
|
|
|
|
|
Internet-Drafts are working documents of the Internet Engineering
|
|
|
|
|
Task Force (IETF), its areas, and its working groups. Note that
|
|
|
|
|
other groups may also distribute working documents as
|
|
|
|
|
Internet-Drafts.
|
|
|
|
|
|
|
|
|
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|
|
|
|
and may be updated, replaced, or obsoleted by other documents at any
|
|
|
|
|
time. It is inappropriate to use Internet-Drafts as reference
|
|
|
|
|
material or to cite them other than as "work in progress".
|
|
|
|
|
|
|
|
|
|
The list of current Internet-Drafts can be accessed at
|
|
|
|
|
http://www.ietf.org/ietf/1id-abstracts.txt
|
|
|
|
|
|
|
|
|
|
The list of Internet-Draft Shadow Directories can be accessed at
|
|
|
|
|
http://www.ietf.org/shadow.html.
|
|
|
|
|
|
|
|
|
|
Distribution of this document is unlimited. Comments should be sent
|
|
|
|
|
to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
|
|
|
|
|
author.
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
This Internet-Draft expires on 25 August 2003.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Abstract
|
|
|
|
|
|
|
|
|
|
This document adapts the X.500 directory administrative model, as it
|
|
|
|
|
pertains to access control administration, for use by the Lightweight
|
|
|
|
|
Directory Access Protocol. The administrative model partitions the
|
|
|
|
|
Directory Information Tree for various aspects of directory data
|
|
|
|
|
administration, e.g. subschema, access control and collective
|
|
|
|
|
attributes. This document provides the particular definitions that
|
|
|
|
|
support access control administration, but does not define a
|
|
|
|
|
particular access control scheme.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Legg Expires 25 August 2003 [Page 1]
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Table of Contents
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
1. Abstract ...................................................... 1
|
|
|
|
|
2. Table of Contents ............................................. 2
|
|
|
|
|
3. Introduction .................................................. 2
|
|
|
|
|
4. Conventions ................................................... 2
|
|
|
|
|
5. Access Control Administrative Areas ........................... 3
|
|
|
|
|
6. Access Control Scheme Indication .............................. 3
|
|
|
|
|
7. Access Control Information .................................... 4
|
|
|
|
|
8. Access Control Subentries ..................................... 4
|
|
|
|
|
9. Applicable Access Control Information ......................... 5
|
|
|
|
|
10. Security Considerations ...................................... 6
|
|
|
|
|
11. Acknowledgements ............................................. 6
|
|
|
|
|
12. IANA Considerations .......................................... 6
|
|
|
|
|
13. Normative References ......................................... 7
|
|
|
|
|
14. Informative References ....................................... 7
|
|
|
|
|
15. Copyright Notice ............................................. 7
|
|
|
|
|
16. Author's Address ............................................. 8
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Introduction
|
|
|
|
|
|
|
|
|
|
This document adapts the X.500 directory administrative model [X501],
|
|
|
|
|
as it pertains to access control administration, for use by the
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Lightweight Directory Access Protocol (LDAP) [RFC3377].
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
The administrative model [ADMIN] partitions the Directory Information
|
|
|
|
|
Tree (DIT) for various aspects of directory data administration, e.g.
|
|
|
|
|
subschema, access control and collective attributes. The parts of
|
|
|
|
|
the administrative model that apply to every aspect of directory data
|
|
|
|
|
administration are described in [ADMIN]. This document describes the
|
|
|
|
|
administrative framework for access control.
|
|
|
|
|
|
|
|
|
|
An access control scheme describes the means by which access to
|
|
|
|
|
directory information, and potentially to access rights themselves,
|
|
|
|
|
may be controlled. This document describes the framework for
|
|
|
|
|
employing access control schemes but does not define a particular
|
|
|
|
|
access control scheme. Two access control schemes known as Basic
|
|
|
|
|
Access Control and Simplified Access Control are defined by [BAC].
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Other access control schemes may be defined by other documents.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
This document is derived from, and duplicates substantial portions
|
|
|
|
|
of, Sections 4 and 8 of [X501].
|
|
|
|
|
|
|
|
|
|
4. Conventions
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
|
|
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Legg Expires 25 August 2003 [Page 2]
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
document are to be interpreted as described in RFC 2119 [RFC2119].
|
|
|
|
|
|
|
|
|
|
Schema definitions are provided using LDAP description formats
|
|
|
|
|
[RFC2252]. Note that the LDAP descriptions have been rendered with
|
|
|
|
|
additional white-space and line breaks for the sake of readability.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
5. Access Control Administrative Areas
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
The specific administrative area [ADMIN] for access control is termed
|
|
|
|
|
an Access Control Specific Area (ACSA). The root of the ACSA is
|
|
|
|
|
termed an Access Control Specific Point (ACSP) and is represented in
|
|
|
|
|
the DIT by an administrative entry [ADMIN] which includes
|
|
|
|
|
accessControlSpecificArea as a value of its administrativeRole
|
|
|
|
|
operational attribute [SUBENTRY].
|
|
|
|
|
|
|
|
|
|
An ACSA MAY be partitioned into subtrees termed inner administrative
|
|
|
|
|
areas [ADMIN]. Each such inner area is termed an Access Control
|
|
|
|
|
Inner Area (ACIA). The root of the ACIA is termed an Access Control
|
|
|
|
|
Inner Point (ACIP) and is represented in the DIT by an administrative
|
|
|
|
|
entry which includes accessControlInnerArea as a value of its
|
|
|
|
|
administrativeRole operational attribute.
|
|
|
|
|
|
|
|
|
|
An administrative entry can never be both an ACSP and an ACIP. The
|
|
|
|
|
corresponding values can therefore never be present simultaneously in
|
|
|
|
|
the administrativeRole attribute.
|
|
|
|
|
|
|
|
|
|
Each entry necessarily falls within one and only one ACSA. Each such
|
|
|
|
|
entry may also fall within one or more ACIAs nested inside the ACSA
|
|
|
|
|
containing the entry.
|
|
|
|
|
|
|
|
|
|
An ACSP or ACIP has zero, one or more subentries that contain Access
|
|
|
|
|
Control Information (ACI).
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
6. Access Control Scheme Indication
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
The access control scheme (e.g. Basic Access Control [BAC]) in force
|
|
|
|
|
in an ACSA is indicated by the accessControlScheme operational
|
|
|
|
|
attribute contained in the administrative entry for the relevant
|
|
|
|
|
ACSP.
|
|
|
|
|
|
|
|
|
|
The LDAP description [RFC2252] for the accessControlScheme
|
|
|
|
|
operational attribute is:
|
|
|
|
|
|
|
|
|
|
( 2.5.24.1 NAME 'accessControlScheme'
|
|
|
|
|
EQUALITY objectIdentifierMatch
|
|
|
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Legg Expires 25 August 2003 [Page 3]
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
|
|
|
|
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
SINGLE-VALUE USAGE directoryOperation )
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
An access control scheme conforming to the access control framework
|
2002-09-23 12:35:05 +08:00
|
|
|
|
described in this document MUST define a distinct OBJECT IDENTIFIER
|
|
|
|
|
value to identify it through the accessControlScheme attribute.
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Object Identifier Descriptors for access control scheme identifiers
|
|
|
|
|
may be registered with IANA [RFC3383].
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
Only administrative entries for ACSPs are permitted to contain an
|
|
|
|
|
accessControlScheme attribute. If the accessControlScheme attribute
|
|
|
|
|
is absent from a given ACSP, the access control scheme in force in
|
|
|
|
|
the corresponding ACSA, and its effect on operations, results and
|
|
|
|
|
errors, is implementation defined.
|
|
|
|
|
|
|
|
|
|
Any entry or subentry in an ACSA is permitted to contain ACI if and
|
|
|
|
|
only if such ACI is permitted by, and consistent with, the access
|
|
|
|
|
control scheme identified by the value of the accessControlScheme
|
|
|
|
|
attribute of the ACSP.
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
7. Access Control Information
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
There are three categories of Access Control Information (ACI):
|
|
|
|
|
entry, subentry and prescriptive.
|
|
|
|
|
|
|
|
|
|
Entry ACI applies to only the entry or subentry in which it appears,
|
|
|
|
|
and the contents thereof. Subject to the access control scheme, any
|
|
|
|
|
entry or subentry MAY hold entry ACI.
|
|
|
|
|
|
|
|
|
|
Subentry ACI applies to only the subentries of the administrative
|
|
|
|
|
entry in which it appears. Subject to the access control scheme, any
|
|
|
|
|
administrative entry, for any aspect of administration, MAY hold
|
|
|
|
|
subentry ACI.
|
|
|
|
|
|
|
|
|
|
Prescriptive ACI applies to all the entries within a subtree or
|
|
|
|
|
subtree refinement of an administrative area (either an ACSA or an
|
|
|
|
|
ACIA), as defined by the subtreeSpecification attribute of the
|
|
|
|
|
subentry in which it appears. Prescriptive ACI is only permitted in
|
|
|
|
|
subentries of an ACSP or ACIP. Prescriptive ACI in the subentries of
|
|
|
|
|
a particular administrative point never applies to the same or any
|
|
|
|
|
other subentry of that administrative point, but does apply to the
|
|
|
|
|
subentries of subordinate administrative points, where those
|
|
|
|
|
subentries are within the subtree or subtree refinement.
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
8. Access Control Subentries
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
Each subentry which contains prescriptive ACI MUST have
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Legg Expires 25 August 2003 [Page 4]
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
accessControlSubentry as a value of its objectClass attribute. Such
|
|
|
|
|
a subentry is called an access control subentry.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
The LDAP description [RFC2252] for the accessControlSubentry
|
|
|
|
|
auxiliary object class is:
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
( 2.5.17.1 NAME 'accessControlSubentry' AUXILIARY )
|
|
|
|
|
|
|
|
|
|
A subentry of this object class MUST contain at least one
|
|
|
|
|
prescriptive ACI attribute of a type consistent with the value of the
|
|
|
|
|
accessControlScheme attribute of the corresponding ACSP.
|
|
|
|
|
|
|
|
|
|
The subtree or subtree refinement for an access control subentry is
|
|
|
|
|
termed a Directory Access Control Domain (DACD). A DACD can contain
|
|
|
|
|
zero entries, and can encompass entries that have not yet been added
|
|
|
|
|
to the DIT, but does not extend beyond the scope of the ACSA or ACIA
|
|
|
|
|
with which it is associated.
|
|
|
|
|
|
|
|
|
|
Since a subtreeSpecification may define a subtree refinement, DACDs
|
|
|
|
|
within a given ACSA may arbitrarily overlap.
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
9. Applicable Access Control Information
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
Although particular items of ACI may specify attributes or values as
|
|
|
|
|
the protected items, ACI is logically associated with entries.
|
|
|
|
|
|
|
|
|
|
The ACI that is considered in access control decisions regarding an
|
|
|
|
|
entry includes:
|
|
|
|
|
|
|
|
|
|
(1) Entry ACI from that particular entry.
|
|
|
|
|
|
|
|
|
|
(2) Prescriptive ACI from access control subentries whose DACDs
|
|
|
|
|
contain the entry. Each of these access control subentries is
|
|
|
|
|
necessarily either a subordinate of the ACSP for the ACSA
|
|
|
|
|
containing the entry, or a subordinate of the ACIP for an ACIA
|
|
|
|
|
that contains the entry.
|
|
|
|
|
|
|
|
|
|
The ACI that is considered in access control decisions regarding a
|
|
|
|
|
subentry includes:
|
|
|
|
|
|
|
|
|
|
(1) Entry ACI from that particular subentry.
|
|
|
|
|
|
|
|
|
|
(2) Prescriptive ACI from access control subentries whose DACDs
|
|
|
|
|
contain the subentry, excluding those belonging to the same
|
|
|
|
|
administrative point as the subentry for which the decision is
|
|
|
|
|
being made.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Legg Expires 25 August 2003 [Page 5]
|
|
|
|
|
|
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
(3) Subentry ACI from the administrative point associated with the
|
|
|
|
|
subentry.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
10. Security Considerations
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
This document defines a framework for employing an access control
|
|
|
|
|
scheme, i.e. the means by which access to directory information and
|
|
|
|
|
potentially to access rights themselves may be controlled, but does
|
|
|
|
|
not itself define any particular access control scheme. The degree
|
|
|
|
|
of protection provided, and any security risks, are determined by the
|
|
|
|
|
provisions of the access control schemes (defined elsewhere) making
|
|
|
|
|
use of this framework.
|
|
|
|
|
|
|
|
|
|
Security considerations that apply to directory administration in
|
|
|
|
|
general [ADMIN] also apply to access control administration.
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
11. Acknowledgements
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
This document is derived from, and duplicates substantial portions
|
|
|
|
|
of, Sections 4 and 8 of [X501].
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
12. IANA Considerations
|
|
|
|
|
|
|
|
|
|
The Internet Assigned Numbers Authority (IANA) is requested to update
|
|
|
|
|
the LDAP descriptors registry as indicated by the following
|
|
|
|
|
templates:
|
|
|
|
|
|
|
|
|
|
Subject: Request for LDAP Descriptor Registration
|
|
|
|
|
Descriptor (short name): accessControlScheme
|
|
|
|
|
Object Identifier: 2.5.24.1
|
|
|
|
|
Person & email address to contact for further information:
|
|
|
|
|
Steven Legg <steven.legg@adacel.com.au>
|
|
|
|
|
Usage: attribute type
|
|
|
|
|
Specification: RFC XXXX
|
|
|
|
|
Author/Change Controller: IESG
|
|
|
|
|
|
|
|
|
|
Subject: Request for LDAP Descriptor Registration
|
|
|
|
|
Descriptor (short name): accessControlSubentry
|
|
|
|
|
Object Identifier: 2.5.17.1
|
|
|
|
|
Person & email address to contact for further information:
|
|
|
|
|
Steven Legg <steven.legg@adacel.com.au>
|
|
|
|
|
Usage: object class
|
|
|
|
|
Specification: RFC XXXX
|
|
|
|
|
Author/Change Controller: IESG
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legg Expires 25 August 2003 [Page 6]
|
|
|
|
|
|
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13. Normative References
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|
|
|
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|
|
|
|
|
|
|
|
|
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
|
|
|
|
|
"Lightweight Directory Access Protocol (v3): Attribute
|
|
|
|
|
Syntax Definitions", RFC 2252, December 1997.
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
[RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
|
|
|
|
|
Protocol (v3): Technical Specification", RFC 3377,
|
2002-09-23 12:35:05 +08:00
|
|
|
|
September 2002.
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
[RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA
|
|
|
|
|
Considerations for the Lightweight Directory Access
|
|
|
|
|
Protocol (LDAP)", BCP 64, RFC 3383, September 2002.
|
|
|
|
|
|
|
|
|
|
[ADMIN] Legg, S., "Directory Administrative Model in LDAP",
|
|
|
|
|
draft-legg-ldap-admin-xx.txt, a work in progress, February
|
|
|
|
|
2003.
|
|
|
|
|
|
2002-09-23 12:35:05 +08:00
|
|
|
|
[SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
|
|
|
|
|
draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
|
|
|
|
|
August 2002.
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
14. Informative References
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
[BAC] Legg, S., "Basic and Simplified Access Control in LDAP",
|
|
|
|
|
draft-legg-ldap-acm-bac-xx.txt, a work in progress,
|
2003-06-01 06:47:07 +08:00
|
|
|
|
February 2003.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
[COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
|
|
|
|
|
draft-zeilenga-ldap-collective-xx.txt, a work in progress,
|
|
|
|
|
August 2002.
|
|
|
|
|
|
|
|
|
|
[X501] ITU-T Recommendation X.501 (02/2001), Information
|
|
|
|
|
technology - Open Systems Interconnection - The Directory:
|
|
|
|
|
Models
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
15. Copyright Notice
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Copyright (C) The Internet Society (2003). All Rights Reserved.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
This document and translations of it may be copied and furnished to
|
|
|
|
|
others, and derivative works that comment on or otherwise explain it
|
|
|
|
|
or assist in its implementation may be prepared, copied, published
|
2003-06-01 06:47:07 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legg Expires 25 August 2003 [Page 7]
|
|
|
|
|
|
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
|
|
|
|
|
|
|
|
|
|
2002-09-23 12:35:05 +08:00
|
|
|
|
and distributed, in whole or in part, without restriction of any
|
|
|
|
|
kind, provided that the above copyright notice and this paragraph are
|
|
|
|
|
included on all such copies and derivative works. However, this
|
|
|
|
|
document itself may not be modified in any way, such as by removing
|
|
|
|
|
the copyright notice or references to the Internet Society or other
|
|
|
|
|
Internet organizations, except as needed for the purpose of
|
|
|
|
|
developing Internet standards in which case the procedures for
|
|
|
|
|
copyrights defined in the Internet Standards process must be
|
|
|
|
|
followed, or as required to translate it into languages other than
|
|
|
|
|
English.
|
|
|
|
|
|
|
|
|
|
The limited permissions granted above are perpetual and will not be
|
|
|
|
|
revoked by the Internet Society or its successors or assigns.
|
|
|
|
|
|
|
|
|
|
This document and the information contained herein is provided on an
|
|
|
|
|
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|
|
|
|
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|
|
|
|
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|
|
|
|
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|
|
|
|
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
16. Author's Address
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
Steven Legg
|
|
|
|
|
Adacel Technologies Ltd.
|
2003-06-01 06:47:07 +08:00
|
|
|
|
250 Bay Street
|
|
|
|
|
Brighton, Victoria 3186
|
2002-09-23 12:35:05 +08:00
|
|
|
|
AUSTRALIA
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Phone: +61 3 8530 7710
|
|
|
|
|
Fax: +61 3 8530 7888
|
2002-09-23 12:35:05 +08:00
|
|
|
|
EMail: steven.legg@adacel.com.au
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Appendix A - Changes From Previous Drafts
|
|
|
|
|
|
|
|
|
|
A.1 Changes in Draft 01
|
|
|
|
|
|
|
|
|
|
Section 4 has been extracted to become a separate Internet draft,
|
|
|
|
|
draft-legg-ldap-admin-00.txt. The subsections of Section 5 have
|
|
|
|
|
become the new Sections 4 to 8. Editorial changes have been made to
|
|
|
|
|
accommodate this split. No technical changes have been introduced.
|
|
|
|
|
|
|
|
|
|
A.2 Changes in Draft 02
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
RFC 3377 replaces RFC 2251 as the reference for LDAP.
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legg Expires 25 August 2003 [Page 8]
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
INTERNET-DRAFT Access Control Administration February 25, 2003
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An IANA Considerations section has been added.
|
|
|
|
|
|
|
|
|
|
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-06-01 06:47:07 +08:00
|
|
|
|
Legg Expires 25 August 2003 [Page 9]
|
2002-09-23 12:35:05 +08:00
|
|
|
|
|