mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
1401 lines
36 KiB
Plaintext
1401 lines
36 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group S. Haripriya
|
|||
|
Internet-Draft Jaimon. Jose, Ed.
|
|||
|
Updates: 02 (if approved) Jim. Sermersheim
|
|||
|
Intended status: Standards Track Novell, Inc.
|
|||
|
Expires: July 9, 2007 January 5, 2007
|
|||
|
|
|||
|
|
|||
|
LDAP: Dynamic Groups for LDAPv3
|
|||
|
draft-haripriya-dynamicgroup-02
|
|||
|
|
|||
|
Status of this Memo
|
|||
|
|
|||
|
By submitting this Internet-Draft, each author represents that any
|
|||
|
applicable patent or other IPR claims of which he or she is aware
|
|||
|
have been or will be disclosed, and any of which he or she becomes
|
|||
|
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
|||
|
|
|||
|
Internet-Drafts are working documents of the Internet Engineering
|
|||
|
Task Force (IETF), its areas, and its working groups. Note that
|
|||
|
other groups may also distribute working documents as Internet-
|
|||
|
Drafts.
|
|||
|
|
|||
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|||
|
and may be updated, replaced, or obsoleted by other documents at any
|
|||
|
time. It is inappropriate to use Internet-Drafts as reference
|
|||
|
material or to cite them other than as "work in progress."
|
|||
|
|
|||
|
The list of current Internet-Drafts can be accessed at
|
|||
|
http://www.ietf.org/ietf/1id-abstracts.txt.
|
|||
|
|
|||
|
The list of Internet-Draft Shadow Directories can be accessed at
|
|||
|
http://www.ietf.org/shadow.html.
|
|||
|
|
|||
|
This Internet-Draft will expire on July 9, 2007.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2007).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 1]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document describes the requirements, semantics, schema elements,
|
|||
|
and operations needed for a dynamic group feature in LDAP. A dynamic
|
|||
|
group is defined here as a group object with a membership list of
|
|||
|
distinguished names that is dynamically generated using LDAP search
|
|||
|
criteria. The dynamic membership list may then be interrogated by
|
|||
|
LDAP search and compare operations, and may also be used to find the
|
|||
|
groups that an object is a member of. This feature eliminates a huge
|
|||
|
amount of the administrative effort required today for maintaining
|
|||
|
group memberships and role-based operations in large enterprises.
|
|||
|
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Conventions used in this document . . . . . . . . . . . . . . 4
|
|||
|
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
|||
|
3. Requirements of a dynamic group feature . . . . . . . . . . . 6
|
|||
|
4. Schema and Semantic Definitions for Dynamic Groups . . . . . . 7
|
|||
|
4.1. Object Classes . . . . . . . . . . . . . . . . . . . . . . 7
|
|||
|
4.1.1. dynamicGroup . . . . . . . . . . . . . . . . . . . . . 7
|
|||
|
4.1.2. dynamicGroupOfUniqueNames . . . . . . . . . . . . . . 7
|
|||
|
4.1.3. dynamicGroupAux . . . . . . . . . . . . . . . . . . . 7
|
|||
|
4.1.4. dynamicGroupOfUniqueNamesAux . . . . . . . . . . . . . 7
|
|||
|
4.2. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 8
|
|||
|
4.2.1. memberQueryURL . . . . . . . . . . . . . . . . . . . . 8
|
|||
|
4.2.2. excludedMember . . . . . . . . . . . . . . . . . . . . 11
|
|||
|
4.3. member . . . . . . . . . . . . . . . . . . . . . . . . . . 11
|
|||
|
4.4. uniqueMember . . . . . . . . . . . . . . . . . . . . . . . 11
|
|||
|
4.5. dgIdentity . . . . . . . . . . . . . . . . . . . . . . . . 11
|
|||
|
4.5.1. dgIdentity - Security implications . . . . . . . . . . 12
|
|||
|
5. Advertisement of support for dynamic groups . . . . . . . . . 13
|
|||
|
6. Dynamic Group Operations . . . . . . . . . . . . . . . . . . . 14
|
|||
|
6.1. Existing Operations . . . . . . . . . . . . . . . . . . . 14
|
|||
|
6.1.1. Access to resources in the directory . . . . . . . . . 14
|
|||
|
6.1.2. Reading a dynamic group object . . . . . . . . . . . . 14
|
|||
|
6.1.3. 'Is Member Of' functionality . . . . . . . . . . . . . 15
|
|||
|
6.2. New Extensions . . . . . . . . . . . . . . . . . . . . . . 16
|
|||
|
6.2.1. Managing the static members of a dynamic group . . . . 16
|
|||
|
7. Performance Considerations . . . . . . . . . . . . . . . . . . 17
|
|||
|
7.1. Caching of Dynamic Members . . . . . . . . . . . . . . . . 17
|
|||
|
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
|
|||
|
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
|
|||
|
10. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 20
|
|||
|
11. Normative References . . . . . . . . . . . . . . . . . . . . . 21
|
|||
|
Appendix A. Example Values for memberQueryURL . . . . . . . . . . 22
|
|||
|
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 23
|
|||
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 2]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
Intellectual Property and Copyright Statements . . . . . . . . . . 25
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 3]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
1. Conventions used in this document
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in [1].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 4]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
2. Introduction
|
|||
|
|
|||
|
The LDAP schema described in [4] defines two object classes:
|
|||
|
'groupOfNames', and 'groupOfUniqueNames', that hold a static list of
|
|||
|
distinguished names in their 'member' or 'uniqueMember' attributes
|
|||
|
respectively, and are typically used to describe a group of objects
|
|||
|
for various functions. These grouping functions range from simple
|
|||
|
group membership applications such as email distribution lists to
|
|||
|
describing common authorization for a set of users The administration
|
|||
|
and updating of these membership lists must be done by specifically
|
|||
|
modifying the DN values in the member or uniqueMember attributes.
|
|||
|
Thus, each time a change in membership happens, a process must exist
|
|||
|
which adds or removes the particular entry's DN from the member
|
|||
|
attribute. For example, consider an organization, where the access
|
|||
|
to its facilities is controlled by membership in a directory group.
|
|||
|
Assume that all employees in a department have been added to the
|
|||
|
group that provides access to the required department facility. If
|
|||
|
an employee moves from one department to another, the administrator
|
|||
|
must remove the employee from one group and add him to another.
|
|||
|
Similarly consider an organization that wants to provide access to
|
|||
|
its facility, to both interns and employees on weekdays, but only to
|
|||
|
employees on weekends. It would be effort-consuming to achieve this
|
|||
|
with static groups.
|
|||
|
|
|||
|
"Dynamic groups" are like normal groups, but they let one specify
|
|||
|
criteria to be used for evaluating membership to a group; the
|
|||
|
membership of the group is determined dynamically by the directory
|
|||
|
servers involved. This lets the group administrator define the
|
|||
|
membership in terms of attributes, and let the DSAs worry about who
|
|||
|
are the actual members. This solution is more scalable and reduces
|
|||
|
administrative costs. This can also supplement static groups in LDAP
|
|||
|
to provide flexibility to the user.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 5]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
3. Requirements of a dynamic group feature
|
|||
|
|
|||
|
The following requirements SHOULD be met by a proposal for the
|
|||
|
dynamic groups feature:
|
|||
|
|
|||
|
1. Creation and administration of dynamic groups should be done
|
|||
|
using normal LDAP operations.
|
|||
|
|
|||
|
2. Applications must be able to use dynamic groups in the same way
|
|||
|
that they are able to use static groups for listing members and
|
|||
|
for membership evaluation.
|
|||
|
|
|||
|
3. Interrogation of a dynamic group's membership should be done
|
|||
|
using normal LDAP operations, and should be consistent. This
|
|||
|
means that all authorization identities with the same permission
|
|||
|
to the membership attribute of a dynamic group (such as 'read')
|
|||
|
should be presented with the same membership list.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 6]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
4. Schema and Semantic Definitions for Dynamic Groups
|
|||
|
|
|||
|
The dynamic group classes are defined by the following schema
|
|||
|
|
|||
|
4.1. Object Classes
|
|||
|
|
|||
|
The following object classes MUST be supported, and their semantics
|
|||
|
understood by the server, for it to support the dynamic groups
|
|||
|
feature.
|
|||
|
|
|||
|
4.1.1. dynamicGroup
|
|||
|
|
|||
|
( <OID.TBD> NAME 'dynamicGroup' SUP groupOfNames STRUCTURAL MAY
|
|||
|
(memberQueryURL $ excludedMember $ dgIdentity ))
|
|||
|
|
|||
|
This structural object class is used to create a dynamic group
|
|||
|
object. It is derived from groupOfNames, which is defined in [4].
|
|||
|
|
|||
|
4.1.2. dynamicGroupOfUniqueNames
|
|||
|
|
|||
|
( <OID.TBD> NAME 'dynamicGroupOfUniqueNames' SUP groupOfUniqueNames
|
|||
|
STRUCTURAL MAY (memberQueryURL $ excludedMember $ dgIdentity ))
|
|||
|
|
|||
|
This structural object class is used to create a dynamic group object
|
|||
|
whose membership list is held in a uniqueMember attribute. It is
|
|||
|
derived from groupOfUniqueNames, which is defined in [4].
|
|||
|
|
|||
|
4.1.3. dynamicGroupAux
|
|||
|
|
|||
|
( <OID.TBD> NAME 'dynamicGroupAux' SUP groupOfNames AUXILIARY MAY
|
|||
|
(memberQueryURL $ excludedMember $ dgIdentity ))
|
|||
|
|
|||
|
This auxiliary object class is used to convert an existing object to
|
|||
|
a dynamic group or to create an object of another object class but
|
|||
|
with dynamic group capabilities. This is derived from groupOfNames
|
|||
|
which is defined in [4].
|
|||
|
|
|||
|
4.1.4. dynamicGroupOfUniqueNamesAux
|
|||
|
|
|||
|
( <OID.TBD> NAME 'dynamicGroupOfUniqueNamesAux' SUP groupOfUniqueNames
|
|||
|
AUXILIARY MAY (memberQueryURL $ excludedMember $ dgIdentity ))
|
|||
|
|
|||
|
This auxiliary object class is used to convert an existing object to
|
|||
|
a dynamic group of unique names or to create an object of another
|
|||
|
object class but with dynamic group capabilities. This is derived
|
|||
|
from groupOfUniqueNames which is defined in [4].
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 7]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
4.2. Attributes
|
|||
|
|
|||
|
The following attribute names MUST be supported by the server.
|
|||
|
|
|||
|
4.2.1. memberQueryURL
|
|||
|
|
|||
|
This attribute describes the membership of the list using an LDAPURL
|
|||
|
[3].
|
|||
|
|
|||
|
(<OID.TBD> NAME 'memberQueryURL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|||
|
|
|||
|
The value of memberQueryURL is encoded as an LDAPURL [3]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 8]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
The BNF from [3] is listed here for reference.
|
|||
|
ldapurl = scheme COLON SLASH SLASH [host [COLON port]] [SLASH dn
|
|||
|
[QUESTION [attributes] [QUESTION [scope] [QUESTION [filter] [QUESTION
|
|||
|
extensions]]]]]
|
|||
|
; <host> and <port> are defined
|
|||
|
; in Sections 3.2.2 and 3.2.3
|
|||
|
; of [RFC3986].
|
|||
|
; <filter> is from Section 3 of
|
|||
|
; [RFC4515], subject to the
|
|||
|
; provisions of the
|
|||
|
; "Percent-Encoding" section
|
|||
|
; below.
|
|||
|
scheme = "ldap"
|
|||
|
dn = distinguishedName ; From Section 3 of [RFC4514],
|
|||
|
; subject to the provisions of
|
|||
|
; the "Percent-Encoding"
|
|||
|
; section below.
|
|||
|
attributes = attrdesc *(COMMA attrdesc)
|
|||
|
attrdesc = selector *(COMMA selector)
|
|||
|
selector = attributeSelector ; From Section 4.5.1 of
|
|||
|
; [RFC4511], subject to the
|
|||
|
; provisions of the
|
|||
|
; "Percent-Encoding" section
|
|||
|
; below.
|
|||
|
scope = "base" / "one" / "sub"
|
|||
|
extensions = extension *(COMMA extension)
|
|||
|
extension = [EXCLAMATION] extype [EQUALS exvalue]
|
|||
|
extype = oid ; From section 1.4 of [RFC4512].
|
|||
|
exvalue = LDAPString ; From section 4.1.2 of
|
|||
|
; [RFC4511], subject to the
|
|||
|
; provisions of the
|
|||
|
; "Percent-Encoding" section
|
|||
|
; below.
|
|||
|
EXCLAMATION = %x21 ; exclamation mark ("!")
|
|||
|
SLASH = %x2F ; forward slash ("/")
|
|||
|
COLON = %x3A ; colon (":")
|
|||
|
QUESTION = %x3F ; question mark ("?")
|
|||
|
|
|||
|
|
|||
|
For the purpose of evaluating dynamic members, the directory server
|
|||
|
uses only the dn, scope, filter and extensions fields. All remaining
|
|||
|
fields are ignored if specified. If other fields are specified, the
|
|||
|
server SHALL ignore them and MAY omit them when presenting the value
|
|||
|
to a client. The dn is used to specify the base dn from which to
|
|||
|
start the search for dynamic members. The scope specifies the scope
|
|||
|
with respect to the dn in which to search for dynamic members. The
|
|||
|
filter specifies the criteria with which to select objects for
|
|||
|
dynamic membership.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 9]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
4.2.1.1. The x-chain extension
|
|||
|
|
|||
|
A new extension is defined for use of the memberQueryURL in dynamic
|
|||
|
groups, named 'x-chain'. x-chain does not take a value. When x-chain
|
|||
|
is present, the server must follow any search continuation references
|
|||
|
to other servers while searching for dynamic members. When x-chain
|
|||
|
is absent, the dynamic members computed will be only those that are
|
|||
|
present on the server from which the search is made. A directory
|
|||
|
server supporting the memberQueryURL MAY support the x-chain
|
|||
|
extension, thus the x-chain extension could be critical or non-
|
|||
|
critical as specified by the '!' prefix to the extension type.
|
|||
|
|
|||
|
4.2.1.2. Semantics of multiple values for memberQueryURL
|
|||
|
|
|||
|
The memberQueryURL MAY have multiple values, and in that case, the
|
|||
|
members of the dynamic group will be the union of the members
|
|||
|
computed using each individual URL value. This is useful in
|
|||
|
specifying a group membership that is made up from subtrees rooted at
|
|||
|
different base DNs, and possibly using different filters.
|
|||
|
|
|||
|
4.2.1.3. Condition of membership
|
|||
|
|
|||
|
An object O is a member of a dynamic group G if and only if
|
|||
|
|
|||
|
(( O is a value of the 'member' or 'uniqueMember' attribute of G)
|
|||
|
|
|||
|
OR
|
|||
|
|
|||
|
(( O is selected by the membership criteria specified in the
|
|||
|
'memberQueryURL' attribute values of G)
|
|||
|
|
|||
|
AND
|
|||
|
|
|||
|
( O is not listed in the 'excludedMember' attribute of G) ))
|
|||
|
|
|||
|
If a member M of a dynamic group G happens to be a dynamic or a
|
|||
|
static group, the static or dynamic members of M SHALL NOT be
|
|||
|
considered as members of G. M is a member of G though.
|
|||
|
|
|||
|
The last condition is imposed because
|
|||
|
|
|||
|
o Recursively evaluating members of members may degrade the
|
|||
|
performance of the server drastically.
|
|||
|
|
|||
|
o Looping may occur particularly in situations where the search
|
|||
|
chains across multiple-servers.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 10]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
o Dynamic membership assertions (compare operation) cannot be
|
|||
|
optimized if recursive memberships are allowed. Without
|
|||
|
recursion, comparisons can be made light-weight.
|
|||
|
|
|||
|
4.2.2. excludedMember
|
|||
|
|
|||
|
( <OID.TBD> NAME 'excludedMember' SUP distinguishedName )
|
|||
|
|
|||
|
This attribute is used to exclude entries from being a dynamic member
|
|||
|
of a dynamic group. Thus an entry is a dynamic member of a dynamic
|
|||
|
group if and only if it is selected by the member criteria specified
|
|||
|
by the 'memberQueryURL' attribute or explicitly added to the member
|
|||
|
or uniqueMember attribute, and it is not listed in the
|
|||
|
'excludedMember' attribute.
|
|||
|
|
|||
|
4.3. member
|
|||
|
|
|||
|
( 2.5.4.31 NAME 'member' SUP distinguishedName )
|
|||
|
|
|||
|
Defined in [4], this attribute is overloaded when used in the context
|
|||
|
of a dynamic group. It is used to explicitly specify static members
|
|||
|
of a dynamic group. If the same entry is listed in both the 'member'
|
|||
|
and 'excludedMember' attributes, the 'member' overrides the
|
|||
|
'excludedMember', and the entry is considered to be a member of the
|
|||
|
group. This attribute is also used to interrogate both the static
|
|||
|
and dynamic member values of a dynamic group object. Subclasses of
|
|||
|
this attribute are NOT considered in this manner.
|
|||
|
|
|||
|
4.4. uniqueMember
|
|||
|
|
|||
|
( 2.5.4.32 NAME 'uniqueMember' SUP distinguishedName )
|
|||
|
|
|||
|
Defined in [4], this attribute is overloaded when used in the context
|
|||
|
of a dynamic group. It is used to specify the static members of a
|
|||
|
dynamic group. If the same entry is listed in both the
|
|||
|
'uniqueMember' and 'excludedMember' attributes, the 'uniqueMember'
|
|||
|
overrides the 'excludedMember', and the entry is considered to be a
|
|||
|
member of the group. This attribute is also used to interrogate both
|
|||
|
the static and dynamic member values of a dynamic group object.
|
|||
|
Subclasses of this attribute are NOT considered in this manner.
|
|||
|
|
|||
|
4.5. dgIdentity
|
|||
|
|
|||
|
( <OID.TBD> NAME 'identity' SUP distinguishedName SINGLE-VALUE )
|
|||
|
|
|||
|
In order to provide consistent results when processing the search
|
|||
|
criteria, the server must use a single authorization identity. If
|
|||
|
the authorization of the bound identity is used, the membership list
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 11]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
will vary, from identity to identity due to differing access
|
|||
|
controls. This may either be done by the server authenticating as
|
|||
|
the dgIdentity prior to performing a search or compare operation, or
|
|||
|
may be done by simply assuming the authorization of the dgIdentity
|
|||
|
when performing those operations. As server implementations vary, so
|
|||
|
may the mechanisms to achieve consistent results through the use of
|
|||
|
the dgIdentity. In the case that the server authenticates as the
|
|||
|
dgIdentity, it may be required by the server that this identity have
|
|||
|
proper authentication credentials, and it may be required that this
|
|||
|
identity reside in the DIB of the local server.
|
|||
|
|
|||
|
In the absence of an identity value, or in case the identity value
|
|||
|
cannot be used, the server will process the memberQueryURL as the
|
|||
|
anonymous identity. This attribute MAY be supported, and represents
|
|||
|
the identity the server will use for processing the memberQueryURL.
|
|||
|
|
|||
|
4.5.1. dgIdentity - Security implications
|
|||
|
|
|||
|
Because this attribute indirectly but effectively grants anyone with
|
|||
|
read or compare access to the member or uniqueMember attribute
|
|||
|
sufficient permission to gain a DN result set from the
|
|||
|
memberQueryURL, server implementations SHOULD NOT allow this
|
|||
|
attribute to be populated with the DN of any object that is not
|
|||
|
administered by the identity making the change to this attribute.
|
|||
|
For purposes of this document, to "administer an object" indicates
|
|||
|
that the administrative identity has the ability to fully update the
|
|||
|
access control mechanism in place the object in question. As of this
|
|||
|
writing, there is no way to describe further what it means to be
|
|||
|
fully able to administer the access control mechanism for an object,
|
|||
|
so this definition is left as implementation-specific.
|
|||
|
|
|||
|
This requirement will allow an entity that has privileges to
|
|||
|
administer a particular subtree (meaning that entity can add, delete,
|
|||
|
and update objects in that subtree), to place in the dgIdentity DNs
|
|||
|
of only those objects it administers.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 12]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
5. Advertisement of support for dynamic groups
|
|||
|
|
|||
|
If the dynamic groups schema is not present on an LDAP server, it
|
|||
|
MUST be assumed that the dynamic groups feature is not supported.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 13]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
6. Dynamic Group Operations
|
|||
|
|
|||
|
6.1. Existing Operations
|
|||
|
|
|||
|
The following operations SHOULD expose the dynamic groups
|
|||
|
functionality. These operations do not require any change in the
|
|||
|
LDAP protocol to be exchanged between the client and server.
|
|||
|
|
|||
|
6.1.1. Access to resources in the directory
|
|||
|
|
|||
|
If access control items are set on a target resource object in the
|
|||
|
directory, with the subject being a dynamic group object, then all
|
|||
|
the members of the group object, including the dynamic members, will
|
|||
|
get the same permissions on the target entry. This would be the most
|
|||
|
useful application of dynamic groups as seen by an administrator
|
|||
|
because it lets the server control access to resources based on
|
|||
|
dynamic membership to a trustee (subject of ACI) of the resource.
|
|||
|
The way to specify a dynamic ACL is currently implementation
|
|||
|
specific, as there is no common ACL definition for LDAP, and hence
|
|||
|
will be dealt with in a separate document or later (TO BE DONE).
|
|||
|
|
|||
|
6.1.2. Reading a dynamic group object
|
|||
|
|
|||
|
When the member attributes of a dynamic group object is listed by the
|
|||
|
client using an LDAP search operation, the member values returned
|
|||
|
SHOULD contain both the static and dynamic members of the group
|
|||
|
object. This functionality will not require a change to the
|
|||
|
protocol, and the clients need not be aware of dynamic groups to
|
|||
|
exploit this functionality. This feature is useful for clients that
|
|||
|
determine access privileges to a resource by themselves, by reading
|
|||
|
the members of a group object. It will also be useful to
|
|||
|
administrators who want to see the result of the query URL that they
|
|||
|
set on the dynamic group entry. Note that this overloads the
|
|||
|
semantics of the 'member' and 'uniqueMember' attributes. This could
|
|||
|
lead to some surprises for the client .
|
|||
|
|
|||
|
for example: Clients that read the member attribute of a dynamic
|
|||
|
group object and then attempt to remove values (which were dynamic)
|
|||
|
could get an error specifying such a value was not there.
|
|||
|
|
|||
|
Example:
|
|||
|
|
|||
|
Let cn=dg1,o=myorg be a dynamic group object with the following
|
|||
|
attributes stored in the directory.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 14]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
member: cn=admin,o=myorg
|
|||
|
|
|||
|
excludedMember: cn=guest,ou=finance,o=myorg
|
|||
|
|
|||
|
excludedMember: cn=robin,ou=finance,o=myorg
|
|||
|
|
|||
|
memberQueryURL:
|
|||
|
ldap:///ou=finance,o=myorg??sub?(objectclass=organizationalPerson)
|
|||
|
|
|||
|
If there are 5 organizationalPerson objects under ou=finance,o=myorg
|
|||
|
with common names bob, alice, john, robin, and guest, then the output
|
|||
|
of a base-scope LDAP search at cn=dg1,o=myorg, with the attribute
|
|||
|
list containing 'member' will be as follows:
|
|||
|
|
|||
|
dn: cn=dg1,o=myorg
|
|||
|
|
|||
|
member: cn=admin,o=myorg
|
|||
|
|
|||
|
member: cn=bob,ou=finance,o=myorg
|
|||
|
|
|||
|
member: cn=alice,ou=finance,o=myorg
|
|||
|
|
|||
|
member: cn=john,ou=finance,o=myorg
|
|||
|
|
|||
|
6.1.3. 'Is Member Of' functionality
|
|||
|
|
|||
|
The LDAP compare operation allows one to discover whether a given DN
|
|||
|
is in the membership list of a dynamic group. Again, the server
|
|||
|
SHOULD produce consistent results among different authorization
|
|||
|
identities when processing this request, as long as those identities
|
|||
|
have the same access to the member or uniqueMember attribute. Using
|
|||
|
the data from the example in Section 6.1.2, a compare on
|
|||
|
cn=dg1,o=myorg, for the AVA member=cn=bob,ou=finance,o=myorg would
|
|||
|
result in a response of compareTrue (assuming the bound identity was
|
|||
|
authorized to compare the member attribute of cn=dg1,o=myorg).
|
|||
|
|
|||
|
Likewise, a search operation that contains an equalityMatch or
|
|||
|
presence filter, naming the member or uniqueMember attribute as the
|
|||
|
attribute (such as (member= cn=bob,ou=finance,o=myorg), or
|
|||
|
(member=*)), will cause the server to evaluate this filter against
|
|||
|
the rules given in Section 4.2.1.3 in the event that the search is
|
|||
|
performed on a dynamic group object. As of this writing, no other
|
|||
|
matching rules exist for the distinguished name syntax, thus no
|
|||
|
requirements beyond equalityMatch are given here.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 15]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
6.2. New Extensions
|
|||
|
|
|||
|
The following new extensions are added for dynamic group support.
|
|||
|
|
|||
|
6.2.1. Managing the static members of a dynamic group
|
|||
|
|
|||
|
Because a dynamic group overloads the semantics of the member and
|
|||
|
uniqueMember attributes, a mechanism is needed to retrieve the static
|
|||
|
values found in these attributes for management purposes. To serve
|
|||
|
this need, a new attribute option is defined here called 'x-static'.
|
|||
|
Attribute options are discussed in Section 2.5 of [2]. This option
|
|||
|
SHALL only be specified with the 'member' or 'uniqueMember'
|
|||
|
attribute. When the LDAP server does not understand the semantics of
|
|||
|
this option on a given attribute, the option SHOULD be ignored. This
|
|||
|
attribute option is only used to affect the transmitted values, and
|
|||
|
does not impose sub-typing semantics on the attribute.
|
|||
|
|
|||
|
This option MAY be specified by a client during a search request in
|
|||
|
the list of attributes to be returned, i.e. member;x-static. In this
|
|||
|
case, the server SHALL only return those members of the dynamic group
|
|||
|
that are statically listed as values of the member or uniqueMember
|
|||
|
attribute. The evaluation process listed in Section 9 SHALL NOT be
|
|||
|
used to populate the values to be returned.
|
|||
|
|
|||
|
This option MAY be specified is either an equalityMatch or presence
|
|||
|
search filter. In this case, the server evaluates only the values
|
|||
|
statically listed in the member or uniqueMember attribute, and does
|
|||
|
not apply the evaluation process listed in Section 9.
|
|||
|
|
|||
|
This option MAY be specified in update operations such as add and
|
|||
|
modify, but SHOULD be ignored, as its presence is semantically the
|
|||
|
same as its non-presence.
|
|||
|
|
|||
|
Note to user: Performing a search to read a dynamic group, with a
|
|||
|
filter item such as (member=*), and specifying member;x-static, may
|
|||
|
result in a search result entry that has no member attribute. This
|
|||
|
may seem counter-intuitive.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 16]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
7. Performance Considerations
|
|||
|
|
|||
|
When the x-chain extension is present on the memberQueryURL, the
|
|||
|
server MUST follow any search continuation references to other
|
|||
|
servers while searching for dynamic members. This may be expensive
|
|||
|
and slow in a true distributed environment. The dynamicGroup
|
|||
|
implementation can consider a distributed caching feature to improve
|
|||
|
the performance. An outline of such a distributed caching is given
|
|||
|
below.
|
|||
|
|
|||
|
7.1. Caching of Dynamic Members
|
|||
|
|
|||
|
Since the dynamic members of a group are computed every time the
|
|||
|
group is accessed, the performance could be affected. An
|
|||
|
implementation of dynamic groups can get around this problem by
|
|||
|
caching the computed members of a dynamic group locally and using the
|
|||
|
cached data subsequently. One way to do this is to create pseudo-
|
|||
|
objects for each dynamic group on every server that holds an object
|
|||
|
that is a dynamic member of the group. With this, the computation of
|
|||
|
the dynamic members of a group reduces to the task of reading the
|
|||
|
pseudo-objects from each server. These pseudo-objects need to be
|
|||
|
linked from the original dynamic group to speed up the member
|
|||
|
computation. Also, since these are cached objects, appropriate
|
|||
|
timeouts need to be associated with the cache after which the cache
|
|||
|
should be invalidated or refreshed
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 17]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
8. Security Considerations
|
|||
|
|
|||
|
This document discusses the use of one object as the identity
|
|||
|
(Section 4.5) with which to read information for another object. If
|
|||
|
the creation of the dgIdentity attribute is uncontrolled, an intruder
|
|||
|
could potentially create a dynamic group with the identity of, say,
|
|||
|
the administrator, to be able to read the directory as the
|
|||
|
administrator, and see information which would be otherwise
|
|||
|
unavailable to him. Thus, a person adding an object as identity of a
|
|||
|
dynamic group should have appropriate permissions on the object being
|
|||
|
added as identity.
|
|||
|
|
|||
|
This document also discusses using dynamic memberships to provide
|
|||
|
access for resources in a directory. As the dynamic members are not
|
|||
|
created by the administrator, there could be surprises for the
|
|||
|
administrator in the form of certain objects getting access to
|
|||
|
certain resources through dynamic membership, which the administrator
|
|||
|
never intended. So the administrator should be wary of such
|
|||
|
problems. The administrator could view the memberships and make sure
|
|||
|
that anybody who is not supposed to be a member of a group is added
|
|||
|
to the excludedMember list.
|
|||
|
|
|||
|
Denial of service attacks can be launched on an LDAP server, by
|
|||
|
repeatedly searching for a dynamic group with a large membership list
|
|||
|
and listing the member attribute. A more effective form of denial of
|
|||
|
service attack could be launched by making searches of the form
|
|||
|
(member="somedn") at the top of tree and closing the client
|
|||
|
connection as soon as the search starts. Some administrative limits
|
|||
|
be imposed to avoid such situations.
|
|||
|
|
|||
|
The dynamic groups feature could be potentially misused by a user to
|
|||
|
circumvent any administrative size-limit restriction placed on the
|
|||
|
server. In order to search an LDAP server and obtain the names of
|
|||
|
all the objects on the server irrespective of admin size-limit
|
|||
|
restriction on the server, the LDAP user could create a dynamic group
|
|||
|
with a memberQueryURL which matches all objects in the tree, and list
|
|||
|
just that one object.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 18]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
9. IANA Considerations
|
|||
|
|
|||
|
There are no IANA considerations.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 19]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
10. Conclusions
|
|||
|
|
|||
|
This document discusses the syntax, semantics and usage of dynamic
|
|||
|
groups in LDAPv3.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 20]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
11. Normative References
|
|||
|
|
|||
|
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
|||
|
Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
[2] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP):
|
|||
|
Directory Information Models", RFC 4512, June 2006.
|
|||
|
|
|||
|
[3] Smith, M. and T. Howes, "Lightweight Directory Access Protocol
|
|||
|
(LDAP): Uniform Resource Locator", RFC 4516, June 2006.
|
|||
|
|
|||
|
[4] Sciberras, A., "Lightweight Directory Access Protocol (LDAP):
|
|||
|
Schema for User Applications", RFC 4519, June 2006.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 21]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
Appendix A. Example Values for memberQueryURL
|
|||
|
|
|||
|
1. This memberQueryURL value specifies the membership criteria for a
|
|||
|
dynamic group entry as "all inetorgperson entries that also have
|
|||
|
their title attribute set to 'manager', and are in the DIT-wide
|
|||
|
subtree under ou=hr,o=myorg ".
|
|||
|
|
|||
|
memberQueryURL: ldap:///
|
|||
|
ou=hr,o=myorg??sub?(&
|
|||
|
(objectclass=inetorgperson)(title=manager))? x-chain
|
|||
|
|
|||
|
2. This value lets the user specify the membership criteria for a
|
|||
|
dynamic group entry as "all entries on the local server, that
|
|||
|
either have unix accounts or belong to the unix department, and
|
|||
|
are under the engineering container ".
|
|||
|
|
|||
|
memberQueryURL: ldap:///ou=eng,o=myorg??sub?
|
|||
|
(|(objectclass=posixaccount)(department=unix))
|
|||
|
|
|||
|
3. These values let the user specify the membership criteria as "all
|
|||
|
inetorgperson entries on the local server, in either the
|
|||
|
ou=eng,o=myorg or ou=support,o=myorg" subtrees.
|
|||
|
|
|||
|
memberQueryURL:
|
|||
|
ldap:///ou=eng,o=myorg??sub?(objectclass=inetorgperson)
|
|||
|
|
|||
|
memberQueryURL:
|
|||
|
ldap:///ou=support,o=myorg??sub?(objectclass=inetorgperson)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 22]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
Appendix B. Acknowledgments
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 23]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
Authors' Addresses
|
|||
|
|
|||
|
Haripriya S
|
|||
|
Novell, Inc.
|
|||
|
49/1 & 49/3 Garvebhavi Palya,
|
|||
|
7th Mile, Hosur Road
|
|||
|
Bangalore, Karnataka 560068
|
|||
|
India
|
|||
|
|
|||
|
Email: sharipriya@novell.com
|
|||
|
|
|||
|
|
|||
|
Jaimon Jose (editor)
|
|||
|
Novell, Inc.
|
|||
|
49/1 & 49/3 Garvebhavi Palya,
|
|||
|
7th Mile, Hosur Road
|
|||
|
Bangalore, Karnataka 560068
|
|||
|
India
|
|||
|
|
|||
|
Email: jjaimon@novell.com
|
|||
|
|
|||
|
|
|||
|
Jim Sermersheim
|
|||
|
Novell, Inc.
|
|||
|
1800 South Novell Place
|
|||
|
Provo, Utah 84606
|
|||
|
US
|
|||
|
|
|||
|
Email: jimse@novell.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 24]
|
|||
|
|
|||
|
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
|||
|
|
|||
|
|
|||
|
Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2007).
|
|||
|
|
|||
|
This document is subject to the rights, licenses and restrictions
|
|||
|
contained in BCP 78, and except as set forth therein, the authors
|
|||
|
retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|||
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; nor does it represent that it has
|
|||
|
made any independent effort to identify any such rights. Information
|
|||
|
on the procedures with respect to rights in RFC documents can be
|
|||
|
found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use of
|
|||
|
such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository at
|
|||
|
http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights that may cover technology that may be required to implement
|
|||
|
this standard. Please address the information to the IETF at
|
|||
|
ietf-ipr@ietf.org.
|
|||
|
|
|||
|
|
|||
|
Acknowledgment
|
|||
|
|
|||
|
Funding for the RFC Editor function is provided by the IETF
|
|||
|
Administrative Support Activity (IASA).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Haripriya, et al. Expires July 9, 2007 [Page 25]
|
|||
|
|