mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
2887 lines
82 KiB
Plaintext
2887 lines
82 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft E. Stokes
|
||
LDAP Extensions WG B. Blakley
|
||
Intended Category: Standards Track Tivoli Systems
|
||
Expires: 14 January 2001 D. Rinkevich
|
||
IBM
|
||
R. Byrne
|
||
Sun Microsystems
|
||
14 July 2000
|
||
|
||
Access Control Model for LDAPv3
|
||
<draft-ietf-ldapext-acl-model-06.txt>
|
||
|
||
STATUS OF THIS MEMO
|
||
|
||
This document is an Internet-Draft and is in full
|
||
conformance with all provisions of Section 10 of RFC2026.
|
||
|
||
Internet-Drafts are working documents of the Internet
|
||
Engineering Task Force (IETF), its areas, and its working
|
||
groups. Note that other groups may also distribute working
|
||
documents as Internet-Drafts. Internet-Drafts are draft
|
||
documents valid for a maximum of six months and may be
|
||
updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as
|
||
reference material or to cite them other than as "work in
|
||
progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||
|
||
The list of Internet-Draft Shadow Directories can be
|
||
accessed at http://www.ietf.org/shadow.html.
|
||
|
||
Comments and suggestions on this document are encouraged.
|
||
Comments on this document should be sent to the LDAPEXT
|
||
working group discussion list:
|
||
|
||
ietf-ldapext@netscape.com
|
||
|
||
COPYRIGHT NOTICE
|
||
|
||
Copyright (C) The Internet Society (2000). All Rights
|
||
Reserved.
|
||
|
||
ABSTRACT
|
||
|
||
This document describes the access control model for the
|
||
Lightweight Directory Application Protocol V3 (LDAPv3)
|
||
directory service. It includes a description of the model,
|
||
the LDAP controls, and the extended operations to the LDAP
|
||
protocol. The current LDAP APIs are sufficient for most
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 1]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
access control operations. An API (in a separate document)
|
||
is needed for the extended operation getEffectiveAccess. A
|
||
separate requirements document for access control exists
|
||
[REQTS]. The access control model used the requirements
|
||
documents as a guideline for the development of this
|
||
specification and are reflected in this specification to the
|
||
extent that the working group could agree on an access
|
||
control model.
|
||
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
|
||
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", and
|
||
"MAY" used in this document are to be interpreted as
|
||
described in [Bradner97].
|
||
|
||
|
||
|
||
1. Introduction
|
||
|
||
The ability to securely access (replicate and distribute)
|
||
directory information throughout the network is necessary
|
||
for successful deployment. LDAP's acceptance as an access
|
||
protocol for directory information is driving the need to
|
||
provide an access control model definition for LDAP
|
||
directory content among servers within an enterprise and the
|
||
Internet. Currently LDAP does not define an access control
|
||
model, but one is needed to ensure consistent secure access,
|
||
replication, and management across heterogeneous LDAP
|
||
implementations. The major objective is to provide a simple,
|
||
usable, and implementable, but secure and efficient access
|
||
control model for LDAP while also providing the appropriate
|
||
flexibility to meet the needs of both the Internet and
|
||
enterprise environments and policies. This document defines
|
||
the model and the protocol extensions (controls and extended
|
||
operations).
|
||
|
||
This draft does not (and cannot) fully specify the behavior
|
||
of the Access Control Model in a distributed environment
|
||
(e.g. propagating access control information across servers
|
||
and ACI administration) because there is no LDAP standard
|
||
defining how to distribute directory data between LDAP
|
||
servers. The behavior of the Access Control Model in
|
||
distributed environments is beyond the scope of this draft.
|
||
|
||
|
||
|
||
2. The LDAPv3 Access Control Model
|
||
|
||
Access Control mechanisms evaluate requests for access to
|
||
protected resources and make decisions about whether those
|
||
requests should be granted or denied. In order to make a
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 2]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
grant/deny decision about a request for access to a
|
||
protected resource, an access control mechanism needs to
|
||
evaluate policy data. This policy data describes security-
|
||
relevant characteristics of the requesting subject and the
|
||
rules which govern the use of the target object.
|
||
|
||
No mechanism is defined in this document for storage of
|
||
access control information at the server beyond indicating
|
||
that the attribute holding access control information is an
|
||
operational attribute.
|
||
|
||
The access control mechanisms specified in this document are
|
||
neutral with respect to policy inheritance mechanisms,
|
||
explicit vs. implicit denial, and group nesting.
|
||
|
||
The access control model defines
|
||
|
||
- What flows on the wire for interoperability
|
||
|
||
The existing LDAP protocol flows for ldap operations
|
||
are used to manipulate access control information. A
|
||
set of permissions and their semantics with respect to
|
||
ldap operations is defined. The permissions parallel
|
||
the types of ldap operations defined. What is
|
||
transmitted is exactly what is read back. Encoding of
|
||
access control information on the wire is per the
|
||
LDAPv3 specifications.
|
||
|
||
There is an additional LDAP control and extended
|
||
protocol operation defined, getEffectiveRights. LDAP
|
||
clients use the control and extended operation to
|
||
manage and administer access control policy enforced by
|
||
LDAP servers.
|
||
|
||
Servers may store access control information in any way
|
||
they choose. In particular, servers may use the access
|
||
control mechanisms of their datastores to store and
|
||
enforce LDAP access control, or they may implement
|
||
access control managers external to their datastores.
|
||
Datastores and external access control managers MAY
|
||
implement any access control rule syntax and semantics
|
||
they choose, but the semantics MUST be compatible with
|
||
those defined in the section titled "Operational
|
||
Semantics of Access Control Operations".
|
||
|
||
- Attributes and classes for application portability of
|
||
access control information
|
||
|
||
An access control information attribute (ldapACI) for
|
||
application portability: This attribute is used as
|
||
input to the LDAP APIs so access control information
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 3]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
can be addressed uniformly independent of how that
|
||
information is addressed and stored at the server.
|
||
This same attribute appears in LDIF output for
|
||
interchange of access control information.
|
||
|
||
An access control information subentry class
|
||
(ldapACISubEntry) and a set of attributes
|
||
(supportedAccessControlSchemes which is used in the
|
||
rootDSE and accessControlSchemes which is used in the
|
||
subentry ldapACISubEntry) to identity the access
|
||
control mechanisms supported by a server and in a given
|
||
part of the namespace, respectively.
|
||
|
||
- An attribute in the rootDSE, discloseOnError, to
|
||
control whether it is permissible for the server to
|
||
return the name of an entry or attribute in an error
|
||
(or empty set) operation result. This closes a hole on
|
||
the ability to discover information you are not
|
||
authorized to discover.
|
||
|
||
- A mechanism to control access to access control
|
||
information: The access control information attribute,
|
||
ldapACI, is used to control access to access control
|
||
information (controls access to itself). How to get an
|
||
initial ldapACI in the directory is server specific and
|
||
beyond the scope of this model.
|
||
|
||
Servers can support multiple access control mechanisms, but
|
||
MUST be capable of supporting the LDAP Mechanism in the DIT
|
||
scoped by the rootDSE (entire server's DIT) for that server
|
||
and SHOULD be capable of supporting the LDAP mechanism in an
|
||
arbitrary part (subtree) of the DIT.
|
||
|
||
The accessControlSchemes attribute in the ldapACISubEntry
|
||
indicates which access control mechanism is in effect for
|
||
the scope of that ldapACISubEntry. The
|
||
supportedAccessControlSchemes attribute in the rootDSE
|
||
indicates which acess control mechanisms are supported by
|
||
the server; those mechanisms are in effect in that server's
|
||
DIT unless overridden by a mechanism defined in a
|
||
ldapACISubEntry elsewhere in that DIT.
|
||
|
||
Changing the value(s) of either the
|
||
supportedAccessControlSchemes or accessControlSchemes
|
||
attributes changes the mechanism(s) in effect for the scope
|
||
of those attributes (where scope is either that of the
|
||
rootDSE or ldapACISubEntry).
|
||
|
||
Through the use of the mechanism rootDSE attribute and
|
||
ldapACI subentry, it is possible to run multiple mechanisms
|
||
in either the same subtree or separate subtrees. If two
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 4]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
mechanisms are run in the same subtree, it is desirable that
|
||
the result be the same independent of mechanism, but
|
||
definition and discussion of this is beyond the scope of
|
||
this model.
|
||
|
||
|
||
|
||
3. Access Control Mechanism Attributes
|
||
|
||
Two attributes are defined to identify which access control
|
||
mechanisms are supported by a given server and by a given
|
||
subtree: supportedAccessControlSchemes and
|
||
accessControlSchemes. (We chose these names based on the
|
||
X.500 attribute, AccessControlScheme which is single-valued
|
||
and defined in X.501).
|
||
|
||
|
||
3.1 Root DSE Attribute for Access Control Mechanism
|
||
|
||
The server advertises which access control mechanisms it
|
||
supports by inclusion of the 'supportedAccessControlSchemes'
|
||
attribute in the root DSE. This attribute is a list of
|
||
OIDs, each of which identify an access control mechanism
|
||
supported by the server. By default, these are also the
|
||
mechanisms in effect in subtrees beneath the root in that
|
||
server unless overridden by a ldapACISubEntry (see section
|
||
"Subentry Class Access Control Mechanism").
|
||
|
||
(<OID to be assigned>
|
||
NAME 'supportedAccessControlSchemes'
|
||
DESC list of access control mechanisms supported
|
||
by this directory server
|
||
SYNTAX LDAPOID
|
||
USAGE dSAOperation
|
||
)
|
||
|
||
The access control mechanism defined is:
|
||
LDAPv3 <OID to be assigned>
|
||
|
||
Other vendor access control mechanisms MAY be defined (by
|
||
OID) and are the responsibility of those vendors to provide
|
||
the definition and OID.
|
||
|
||
|
||
3.2 Root DSE Attribute for Control of Disclosing Errors
|
||
|
||
The server specifies whether it is permissible for the name
|
||
of an entry or attribute to be disclosed in an error (or
|
||
empty) operation result. This rootDSE attribute is
|
||
discloseOnError. The default for discloseOnError is false
|
||
(0) or not to disclose on error. The lack of this attribute
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 5]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
in the rootDSE is interpreted as the default.
|
||
|
||
(<OID to be assigned>
|
||
NAME 'discloseOnError'
|
||
DESC specify whether to return the name of an
|
||
entry or attribute in an error (or
|
||
empty) operation result; 0=do not
|
||
disclose (default); 1=disclose
|
||
SYNTAX LDAPString
|
||
USAGE dSAOperation
|
||
|
||
|
||
3.3 Subentry Class Access Control Mechanism
|
||
|
||
A given naming context MUST provide information about which
|
||
access control mechanisms are in effect for that portion of
|
||
the namespace. This information is contained in a subentry
|
||
(ldapACISubEntry class), derived from [SUBENTRY].
|
||
ldapACISubEntry MAY be used to define the scope of an access
|
||
control mechanism. The value(s) held in the rootDSE
|
||
attribute, supportedAccessControlSchemes, are the mechanisms
|
||
in effect in subtrees beneath the root in that server unless
|
||
overridden in a ldapACISubEntry further down the tree held
|
||
by that server. The scope of that ldapACISubEntry is to the
|
||
end of the subtree held by that server or until another
|
||
ldapACISubEntry is encountered in that subtree held by that
|
||
server. The ldapACISubEntry class is defined as:
|
||
|
||
|
||
( <OID to be assigned>
|
||
NAME 'ldapACISubEntry'
|
||
DESC 'LDAP ACI Subentry class'
|
||
SUP ldapSubEntry STRUCTURAL
|
||
MUST ( accessControlSchemes )
|
||
)
|
||
|
||
The accessControlSchemes attribute MUST be in each ldap
|
||
access control subentry entry associated with a naming
|
||
context whose access control mechanism is different from
|
||
adjacent naming contexts supported by that directory server.
|
||
accessControlSchemes lists the values (list of OIDs) that
|
||
define the access control mechanisms in effect for the scope
|
||
of that ldap access control subentry. Although, in general,
|
||
this attribute will define only a single mechanism (single
|
||
value), more than one mechanism MAY be in effect for the
|
||
scope of that subentry.
|
||
|
||
(<OID to be assigned>
|
||
NAME 'accessControlSchemes'
|
||
DESC list of access control mechanisms supported
|
||
in this subtree
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 6]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
SYNTAX LDAPOID
|
||
USAGE dSAOperation
|
||
)
|
||
|
||
|
||
|
||
4. The Access Control Information Attribute (ldapACI)
|
||
|
||
The access control information attribute, ldapACI, is
|
||
defined as:
|
||
|
||
(<OID to be assigned>
|
||
NAME 'ldapACI'
|
||
DESC 'ldap access control information'
|
||
EQUALITY caseIgnoreMatch
|
||
SYNTAX directoryString
|
||
USAGE directoryOperation
|
||
)
|
||
|
||
The intent of the attribute definition is to design a common
|
||
interchange format. Any given LDAP server should be able to
|
||
translate the below defined attribute into meaningful
|
||
operation requests. Each server should be able to understand
|
||
the attribute; there should not be any ambiguity into what
|
||
any part of the syntax means.
|
||
|
||
While the end goal is to have a common behavior model
|
||
between different LDAP server implementations, the attribute
|
||
definition alone will not ensure identical ACL processing
|
||
behavior between servers. The semantics of how a server
|
||
interprets the ACI syntax are defined in the "Operational
|
||
Semantics of Access Control" section of this document.
|
||
Additionally, while the server must recognize and act on the
|
||
attribute when received over the wire, there are no
|
||
requirements for the server to physically store this
|
||
attribute.
|
||
|
||
The attribute definition maintains an assumption that the
|
||
receiving server supports inheritance within the security
|
||
model. If the server does not support inheritance, the
|
||
receiving server must expand any inherited information based
|
||
on the scope flag. If the server does not support partial
|
||
inheritance and both the entry and subtree scope are used,
|
||
then entry is the prevailing scope. (It is possible for two
|
||
values in the ldapACI attribute to have different scopes
|
||
given the syntax of ldapACI; one might contain 'entry' and
|
||
another might contain 'subtree'. This implies that some
|
||
ldapACI values inherit down the DIT and othersdo not - hence
|
||
partial inheritance of the ldapACI attribute.)
|
||
|
||
The attribute is defined so access control information (ACI)
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 7]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
can be addressed in a server independent of server
|
||
implementation. This attribute is used in typical LDAP APIs
|
||
and in LDIF output of ACI. This attribute may be queried or
|
||
set on all directory objects. The BNF and definitions are
|
||
given below.
|
||
|
||
|
||
4.1 The BNF
|
||
|
||
|
||
4.1.1 ACI String Representation
|
||
|
||
Values of this syntax are encoded according to the
|
||
following BNF which follows the BNF encoding
|
||
conventions described in [ABNF]:
|
||
|
||
ldapACI = scope "#" rights "#" attr "#" subject
|
||
|
||
scope = "entry" / "subtree"
|
||
|
||
rights = (("grant:" / "deny:") permissions) /
|
||
("grant:" permissions ";deny:" permissions)
|
||
|
||
permissions = [permission *("," permission)]
|
||
|
||
permission = "a" / ; add
|
||
"d" / ; delete
|
||
"e" / ; export
|
||
"i" / ; import
|
||
"n" / ; renameDN
|
||
"b" / ; browseDN
|
||
"t" / ; returnDN
|
||
"r" / ; read
|
||
"s" / ; search
|
||
"w" / ; write (mod-add)
|
||
"o" / ; obliterate (mod-del)
|
||
"c" / ; compare
|
||
"m" / ; make
|
||
|
||
attr = "[all]" / "[entry]" / (attribute *("," attribute))
|
||
|
||
attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38)
|
||
; from [ATTR]
|
||
|
||
subject = ["authnLevel:" authnLevel ":"]
|
||
(("authzID-" authzID) /
|
||
("role:" dn) /
|
||
("group:" dn) /
|
||
("subtree:" dn) /
|
||
("ipAddress:" ipAddress) /
|
||
"public:" /
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 8]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
"this:")
|
||
|
||
authnLevel = "any" /
|
||
"simple" /
|
||
sasl
|
||
|
||
sasl = "sasl:"
|
||
("any" /
|
||
mechanism)
|
||
|
||
mechanism = ; sasl mechanism from 4.2 of [LDAPv3]
|
||
|
||
authzID = ; authzID from [AuthMeth] repeated below
|
||
; for convenience
|
||
|
||
authzId = dnAuthzId / uAuthzId
|
||
|
||
; distinguished-name-based authz id.
|
||
dnAuthzId = "dn:" dn
|
||
|
||
dn = utf8string ; with syntax defined in [UTF]
|
||
|
||
; unspecified userid, UTF-8 encoded.
|
||
uAuthzId = "u:" userid
|
||
userid = utf8string ; syntax unspecified
|
||
|
||
ipAddress = printableString
|
||
; dotted decimal form (e.g. 10.0.0.6)
|
||
; or use wildcards such as 12.3.45.* to
|
||
; specify a specific subnetwork
|
||
; or 123.45.6.*+255.255.255.115 to
|
||
; specify a subnetmask
|
||
; or use a wildcard domain name such as
|
||
; *.airius.com to specify a specific
|
||
; DNS domain
|
||
|
||
printableString ; printableString syntax from [ATTR]
|
||
|
||
|
||
Note that the colon following the "public" and "this"
|
||
subject options exist only to simplify string parsing.
|
||
|
||
Note also that per [AuthMeth], authzID may be expanded in
|
||
the future.
|
||
|
||
See section titled 'ACI Examples' for examples of the string
|
||
representation.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 9]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
4.1.2 ACI Binary Representation
|
||
|
||
The following ASN.1 data type is used to represent this
|
||
syntax when transferred in binary form:
|
||
|
||
ldapACI ::= SEQUENCE {
|
||
scope ENUMERATED {
|
||
entry (0),
|
||
subtree (1) },
|
||
rights SEQUENCE OF CHOICE {
|
||
grant [0] Permissions,
|
||
deny [1] Permissions },
|
||
attr CHOICE {
|
||
all [0] NULL,
|
||
entry [1] NULL,
|
||
attributes [2] SEQUENCE OF Attribute },
|
||
subject SEQUENCE {
|
||
authnLevel CHOICE {
|
||
any [0] NULL,
|
||
simple [1] NULL,
|
||
sasl [2] CHOICE {
|
||
any [0] NULL,
|
||
mechanism [1] LDAPString -- from [LDAPv3]
|
||
}
|
||
},
|
||
subject CHOICE {
|
||
dn [0] DN,
|
||
user [1] utf8String
|
||
role [1] DN,
|
||
group [2] DN,
|
||
subtree [3] DN,
|
||
ipAddress [4] IPAddress,
|
||
public [6] NULL,
|
||
this [7] NULL }, } -- may be expanded
|
||
per [AuthMeth]
|
||
|
||
Permissions ::= SEQUENCE OF ENUMERATED {
|
||
add (0),
|
||
delete (1),
|
||
export (2),
|
||
import (3),
|
||
renameDN (4),
|
||
browseDN (5),
|
||
returnDN (6),
|
||
read (7),
|
||
search (8),
|
||
write (9),
|
||
obliterate (10),
|
||
compare (11),
|
||
make (12) }
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 10]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
Attribute ::= AttributeType -- from [LDAPv3]
|
||
|
||
IPAddress ::= PrintableString -- (e.g. 10.0.0.6)
|
||
|
||
|
||
|
||
4.2 The Components of ldapACI Attribute
|
||
|
||
This section defines components that comprise the access
|
||
control information attribute, ldapACI.
|
||
|
||
|
||
4.2.1 Scope
|
||
|
||
Two scopes for access control information are defined:
|
||
|
||
- entry - the access control information in the ldapACI
|
||
attribute applies only to the entry in which it is
|
||
contained
|
||
|
||
- subtree - the access control information in the ldapACI
|
||
attribute applies to each entry down the subtree unless
|
||
it is overridden by an entry-specific ldapACI whose
|
||
values are more specific.
|
||
|
||
Use of prescriptive ACIs and scoping via use of a
|
||
ldapACISubEntry is outside the scope of this document.
|
||
|
||
|
||
4.2.2 Access Rights and Permissions
|
||
|
||
Access rights can apply to an entire object or to attributes
|
||
of the object. Access can be granted or denied. Either or
|
||
both of the actions "grant" | "deny" may be used when
|
||
creating or updating ldapACI.
|
||
|
||
Each of the LDAP access permissions are discrete. One
|
||
permission does not imply another permission. The
|
||
permissions which apply to attributes and the entry parallel
|
||
the type of ldap operations that can be performed.
|
||
|
||
Permissions which apply to attributes:
|
||
|
||
r Read Read attribute values
|
||
w Write Modify-add values
|
||
o Obliterate Modify-delete values
|
||
s Search Search entries with specified attributes
|
||
c Compare Compare attributes
|
||
m Make Make attributes on a new entry below
|
||
this entry
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 11]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
1. r Read
|
||
|
||
If granted, permits attributes and values to be
|
||
returned in a read or search operation.
|
||
|
||
2. w Write
|
||
|
||
If granted, permits attributes and values to be added
|
||
in a modify operation.
|
||
|
||
3. o Obliterate
|
||
|
||
If granted, permits attributes and values to be
|
||
deleted in a modify operation.
|
||
|
||
4. s Search
|
||
|
||
If granted, permits attributes and values to be
|
||
included in a search operation.
|
||
|
||
5. c Compare
|
||
|
||
If granted, permites attributes and value to be used
|
||
in a compare operation.
|
||
|
||
6. m Make
|
||
|
||
The attribute permission "m" is required for all
|
||
attributes that are placed on an object when it is
|
||
created. Just as the "w" and "o" permissions are used
|
||
in the Modify operation, the "m" permission is used in
|
||
the Add operation. Additionally, note that "w" and "o"
|
||
have no bearing on the Add operation and "m" has no
|
||
bearing on the Modify operation. Since a new object
|
||
does not yet exist, the "a" and "m" permissions needed
|
||
to create it must be granted on the new object's
|
||
parent. This differs from "w" and "o" which must be
|
||
granted on the object being modified. The "m"
|
||
permission is distinct and separate from the "w" and
|
||
"o" permissions so that there is no conflict between
|
||
the permissions needed to add new children to an entry
|
||
and the permissions needed to modify existing children
|
||
of the same entry.
|
||
|
||
Note: Modify-replace values of an attribute requires "w"
|
||
and "o" permission.
|
||
|
||
Permissions that apply to an entire entry:
|
||
|
||
|
||
a Add Add an entry below this entry
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 12]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
d Delete Delete this entry
|
||
e Export Export entry & subordinates to new
|
||
location
|
||
i Import Import entry & subordinates from some
|
||
location
|
||
n RenameDN Rename an entry's DN
|
||
b BrowseDN Browse an entry's DN
|
||
t ReturnDN Allows DN of entry to be disclosed in
|
||
an operation result
|
||
|
||
|
||
1. a Add
|
||
|
||
If granted, permits creation of an entry in the DIT
|
||
subject to control on all attributes and values to be
|
||
placed in the new entry at time of creation. In order
|
||
to add an entry, permission must also be granted to
|
||
add at least the mandatory attributes.
|
||
|
||
2. d Delete
|
||
|
||
If granted, permits the entry to be removed from the
|
||
DIT regardless of controls on attributes within the
|
||
entry.
|
||
|
||
3. e Export
|
||
|
||
If granted, permits an entry and its subordinates (if
|
||
any) to be exported; that is, removed from the current
|
||
location and placed in a new location subject to the
|
||
granting of suitable permission at the destination.
|
||
If the last RDN is changed, Rename is also required at
|
||
the current location. In order to export an entry or
|
||
its subordinates, there are no prerequisite
|
||
permissions to contained attributed, including the RDN
|
||
attributes; this is true even when the operation
|
||
causes new attribute values to be added or removed as
|
||
the result of the changes of RDN.
|
||
|
||
4. i Import
|
||
|
||
If granted, permits an entry and its suordinates (if
|
||
any) to be imported; that is, removed from some other
|
||
location and placed a t the location to which the
|
||
permission applies subject to the granting of suitable
|
||
permissions at the source location. In order to
|
||
import an entry or its subordinates, there are no
|
||
prerequisite permissions to contained attributed,
|
||
including the RDN attributes; this is true even when
|
||
the operation causes new attribute values to be added
|
||
or removed as the result of the changes of RDN.
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 13]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
5. n RenameDN
|
||
|
||
Granting Rename is necessary for an entry to be
|
||
renamed with a new RDN, taking into account
|
||
consequential changes to the distinguished names of
|
||
subordinate entries, if any; if the name of the
|
||
superior is unchanged, the grant is sufficient. In
|
||
order to rename an entry, there are no prerequisite
|
||
permissions to contained attributed, including the RDN
|
||
attributes; this is true even when the operation
|
||
causes new attribute values to be added or removed as
|
||
the result of the changes of RDN.
|
||
|
||
6. b BrowseDN
|
||
|
||
If granted, permits entries to be accessed using
|
||
directory operations which do not explicitly provide
|
||
the name of the entry.
|
||
|
||
7. t ReturnDN
|
||
|
||
If granted, allows the distinguished name of the entry
|
||
to be disclosed in the operation result.
|
||
|
||
All permissions (for grant and deny) for an attribute/entry
|
||
and a given subject MUST be contained within one ldapACI
|
||
value, i.e. (in abbreviated form)
|
||
|
||
ldapACI: ...grant OID.attr1 subjectA
|
||
ldapACI: ...deny OID.attr1 subjectA
|
||
|
||
must be ldapACI: ...grant ... deny... OID.attr1 subjectA
|
||
|
||
Using the defined BNF it is possible for the permission
|
||
string to be empty. The ACI
|
||
|
||
ldapACI: subtree#grant#OID.attr1#group:cn=Dept XYZ,c=US
|
||
|
||
ldapACI: subtree#grant:r,s#[all]#group:cn=Dept XYZ,c=US
|
||
|
||
means that this group (Dept XYZ) is granted permission to
|
||
read and search all attributes except OID.attr1 because
|
||
OID.attr1 is more specific than "[all]".
|
||
|
||
|
||
4.2.3 Attributes
|
||
|
||
Attribute describes an attribute name in the form of a
|
||
dotted decimal OID for that <attr>. If the string (OID)
|
||
refers to an attribute not defined in the given server's
|
||
schema, the server SHOULD report an error. "[entry]" means
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 14]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
the permissions apply to the entire object. This could mean
|
||
actions such as delete the object, or add a child object.
|
||
"[all]" means the permission set apply to all attributes of
|
||
the entry.
|
||
|
||
If the keyword "[all]" and another attribute are both
|
||
specified within an ACI, the more specific permission set
|
||
for the attribute overrides the less specific permission set
|
||
for "[all]".
|
||
|
||
|
||
4.2.4 Subjects and Associated Authentication
|
||
|
||
The following subjects are defined and MUST be supported:
|
||
|
||
- authzID, defined per [authmeth]
|
||
|
||
- group, defined as the distinguished name of a
|
||
groupOfNames or groupOfUniqueNames entry
|
||
|
||
- role
|
||
|
||
- subtree, defined as the distinguished name of a non-
|
||
leaf node in the DIT
|
||
|
||
- ipAddress,
|
||
|
||
- public, defined as public access
|
||
|
||
- this, defined as the user whose name matches that of
|
||
the entry being accessed
|
||
|
||
Other parties MAY define other subjects. It is the
|
||
responsibility of those parties to provide the definition.
|
||
|
||
A subject may be qualified by the type of authentication
|
||
required for access to a given attribute(s) or entry. If no
|
||
authnLevel is present, then no specific type of
|
||
authentication is additionally required for access. If
|
||
authnLevel is specified, then that type of authentication is
|
||
additionally required for access. The authnLevels parallel
|
||
the authentication mechanisms specified for LDAPv3: simple,
|
||
SASL (any type of SASL mechanism), and a SASL-specific
|
||
mechanism. The authnLevel of is not an acceptable mechanism
|
||
for this case) as part of obtaining access.
|
||
|
||
|
||
4.3 Grant/Deny Evaluation Rules
|
||
|
||
The decision whether to grant or deny a client access to a
|
||
particular piece of information is based on several pieces
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 15]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
of information found within the ldapaci value. Throughout
|
||
the decision making process, there are guiding principals.
|
||
|
||
- Specificity: More specific policies MUST override less
|
||
specific ones (e.g. individual user entry in ACI takes
|
||
precedence over group entry).
|
||
|
||
- Deny takes precedence over Grant.
|
||
|
||
- When there are conflicting ACI values, deny takes
|
||
precedence over grant.
|
||
|
||
- Deny is the default when there is no access control
|
||
information.
|
||
|
||
Precendence of Scope Types (highest to lowest)
|
||
|
||
- entry
|
||
|
||
- subtree
|
||
|
||
Precedence of Subjects within a Scope (highest to lowest):
|
||
|
||
- ipAddress
|
||
|
||
- authzID, this
|
||
|
||
- group, role, this, public
|
||
|
||
- subtree, public
|
||
|
||
Although other types MAY be defined given the BNF, use of
|
||
the well-known types aids in interoperability and
|
||
operational consistency.
|
||
|
||
Access Decision algorithm:
|
||
|
||
1. Determine all the ldapACI values which could apply to
|
||
the target DN which is being accessed. This is the DN
|
||
of the entry which is being queried in a search,
|
||
modified, deleted, etc. When determining all the
|
||
ldapACI values, the scope field should be used. All
|
||
ldapACI values with a scope of 'entry' take precedence
|
||
over ldapACI values with a scope of 'subtree'.
|
||
|
||
2. Determine which ldapACI (of the set determined in step
|
||
1) apply to the bound DN. This is determined by
|
||
looking at the subject (combination of subject type
|
||
and subject value) and bind type. If no bind is in
|
||
effect (this is possible in ldapv3), then treat this
|
||
lack of bind as if bound as anonymous. Start with the
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 16]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
most specific subject type. If at any time, at least
|
||
one ldapACI value exists for a specificity level, then
|
||
processing stops; the exception here is 'this' because
|
||
this may also be combined with group to use power of
|
||
'this'. Evaluation should take place on set of
|
||
ldapACI values which are all of the same specificity
|
||
level. Subjects of the same precedence are combined
|
||
using union semantics.
|
||
|
||
3. Evaluate the remaining ldapACI values and determine a
|
||
grant/deny decision. If conflicting ldapACI value
|
||
exists for the same attribute, or attributes (i.e. one
|
||
ldapACI grants permission and another denies
|
||
permission), then deny takes precedence over grant.
|
||
For example, if one is granted permission to
|
||
"objectclass" in one ldapACI value by being a member
|
||
of group cn=Admin, and denied permission by being a
|
||
member of cn = NontrustedAdmins, then the bound user
|
||
would not receive permission to objectclass.
|
||
|
||
The rule of specificity also applies to the
|
||
attributes. If one is denied permission to "[ all ]"
|
||
attributes, but granted permission to "objectclass"
|
||
then the more specific value of "objectclass" takes
|
||
precedence over the less specific value of "[ all ] ".
|
||
In this case the user would be granted permission to
|
||
"objectclass" but denied permission to all other
|
||
attributes.
|
||
|
||
|
||
|
||
5. Required Permissions for each LDAP Operation
|
||
|
||
This section defines the required permissions for each LDAP
|
||
operation but even if these requirements are satisfied the
|
||
server MAY refuse to carry out the operation due to other
|
||
implementation specific security considerations. For
|
||
example, a server may refuse to modify an entry because the
|
||
database where that entry resides is in read only mode.
|
||
Another example might be that although the access control is
|
||
available to the userPassword attribute a server may refuse
|
||
modifications due to some server specific policy governing
|
||
access to passwords.
|
||
|
||
Here, we specify the rights required by a user when
|
||
performing an LDAP operation in terms of the LDAP
|
||
permissions specified in section 6.1. Recall that "a, d,
|
||
e, i, n, b,t" are permissions that apply to entries as a
|
||
whole while permissions "r, s, w, o, c, m" apply to
|
||
attributes within entries.
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 17]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
Required permissions for LDAP extended operations and LDAP
|
||
controls are beyond the scope of this draft.
|
||
|
||
There is a requirement that a user should not be able to
|
||
infer the existence of data in the Directory, if the user
|
||
does not have the required access rights to that data. An
|
||
example of this requirement would be in a hosting
|
||
environment where you would not want any users from the coke
|
||
subtree to be able to even discover that the pepsi tree was
|
||
hosted on the same server. This "discloseOnError" feature
|
||
will be set once for server in the rootDSE advertised by the
|
||
attribute discloseOnError. The default for discloseOnError
|
||
is false (0). The lack of this attribute in the rootDSE is
|
||
interpreted as the default. The details of its effects are
|
||
addressed below, operation by operation.
|
||
|
||
For the following, assume that the authorization identity of
|
||
the user doing the operation is authzID.
|
||
|
||
|
||
5.1 Bind Operation
|
||
|
||
This draft does not require any permissions to allow a bind
|
||
operation to proceed.
|
||
|
||
|
||
5.2 Search Operation
|
||
|
||
Recall that the parameters of the Search operation per RFC
|
||
2251 [LDAPv3] Section 4.5 are:
|
||
|
||
SearchRequest ::= [APPLICATION 3] SEQUENCE {
|
||
baseObject LDAPDN,
|
||
scope ENUMERATED {
|
||
baseObject (0),
|
||
singleLevel (1),
|
||
wholeSubtree (2) },
|
||
derefAliases ENUMERATED {
|
||
neverDerefAliases (0),
|
||
derefInSearching (1),
|
||
derefFindingBaseObj (2),
|
||
derefAlways (3) },
|
||
sizeLimit INTEGER (0 .. maxInt),
|
||
timeLimit INTEGER (0 .. maxInt),
|
||
typesOnly BOOLEAN,
|
||
filter Filter,
|
||
attributes AttributeDescriptionList }
|
||
|
||
Suppose a server is processing a search request from user
|
||
authzID with parameters as above and is processing the entry
|
||
with dn candidateDN to decide if it may be returned or not.
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 18]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
Then the permissions required by authzID that need to be
|
||
evaluated are as follows:
|
||
|
||
|
||
1. permission "b" to the entry candidateDN
|
||
|
||
If this permission is not granted then the dn
|
||
candidateDN MUST not be returned nor any attribute
|
||
type nor attribute value from this entry.
|
||
|
||
If this permission is granted then the dn candidateDN
|
||
MAY be returned.
|
||
|
||
Note: The idea of the "b" permission is to say "a user
|
||
has discovery rights" at a certain entry in the
|
||
directory. Assuming that the further required
|
||
permissions below are satisfied then having "b" right
|
||
is enough to allow the server to return candidateDN.
|
||
Of course candidateDN contains in it's components,
|
||
attributes and attribute values for all the ancestors
|
||
of candidateDN. This can lead to the slightly odd
|
||
situation that we can discover the naming attribute of
|
||
an entry and that attribute's value by virtue of
|
||
having the required searching permissions to it's
|
||
child but not by searching the entry directly.
|
||
|
||
2. permission "s" to each attribute appearing in a
|
||
presence test during the evaluation of the search
|
||
filter. permission "r" to each attribute appearing in
|
||
non-presence tests (see rfc1960, section 3:
|
||
equalityMatch, substrings, greaterOrEquial,
|
||
lessOrEqual, present, approxMatch, extensibleMatch)
|
||
during the evaluation of the search filter.
|
||
|
||
The above statement covers the case where the
|
||
attributes are being evaluated as part of an
|
||
extensibleMatch (RFC 2251 section 4.5.1) which appears
|
||
in the filter. In the case where the dnAttributes
|
||
field of the extensibleMatch is true then we do not
|
||
require any access checks to the attributes of the dn
|
||
candidateDN as access to these is taken to be granted
|
||
by the "b" permission, which has already been required
|
||
above.
|
||
|
||
If there is an attribute in a filter element to which
|
||
the required permission is not granted then that
|
||
filter element evaluates to "Undefined" of the three-
|
||
valued-logic of X.511(93).
|
||
|
||
Note A: Although both "r" and "s" permissions will
|
||
typically be granted to attributes we keep both
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 19]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
permissions as there are cases where the distinction
|
||
is useful. For example, the ability to grant the
|
||
right to discover that a user entry contains a
|
||
userPassword attribute, but not to read it's value
|
||
("s" but not "r"). The converse, granting "r" but not
|
||
"s" permission is less easy to motivate.
|
||
|
||
Note B: There is an unusual behaviour with respect to
|
||
naming attributes illustrated in the following
|
||
example:
|
||
|
||
Suppose I have "b" rights to cn=fred,o=sun.com and "r"
|
||
rights to attribute objectclass but not "r" rights to
|
||
cn then with search filter (objectclass=*) I get back
|
||
the dn and objectclass (and so can see the value of
|
||
cn), but with a search filter of (cn=fred) I do not
|
||
get anything.
|
||
|
||
3. permission "r" to each attribute in the attribute list
|
||
|
||
AttributeDescriptionList (or all attributes in the
|
||
entry candidateDN if AttributeDescriptionList is *)
|
||
whose type and/or value will be returned.
|
||
|
||
Note: The presence of an attribute in an entry is only
|
||
ever volunteered by the server if "r" permission is
|
||
granted to it, though a user may infer the presence of
|
||
an attribute with "s" permission by using a presence
|
||
test on that attribute in the search filter.
|
||
|
||
4. permission "t" to the entry candidateDN
|
||
|
||
If this permission is not granted then the dn
|
||
candidateDN MUST NOT be returned. If the server knows
|
||
of an alias for the entry, this alias may be returned
|
||
instead. If no alias name is available then the entry
|
||
candidateDN MUST be omitted from the search results.
|
||
|
||
|
||
5. Disclose on error for the Search operation
|
||
|
||
If every entry in the scope of the search fails to
|
||
satisfy item 1 (browse right on the candidate entry)
|
||
or item 2 (right to use the filter on that entry) and
|
||
if discloseOnError is not granted to the baseObject
|
||
entry then the operation MUST fail with a "no such
|
||
object error" and the matchedDN of the LDAPResult MUST
|
||
be set to "". If every entry in the scope of the
|
||
search fails to satisfy items 1 or 2 above and
|
||
discloseOnError is granted to the baseObject then the
|
||
empty set of results is returned.
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 20]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
5.3 Modify Operation
|
||
|
||
Recall that the parameters of the Modify operation per
|
||
RFC2251 [LDAPv3] Section 4.6 are:
|
||
|
||
ModifyRequest ::= [APPLICATION 6] SEQUENCE {
|
||
object LDAPDN,
|
||
modification SEQUENCE OF SEQUENCE {
|
||
operation ENUMERATED {
|
||
add (0),
|
||
delete (1),
|
||
replace (2) },
|
||
modification AttributeTypeAndValues } }
|
||
|
||
|
||
AttributeTypeAndValues ::= SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
Then the permissions required by authzID that need to be
|
||
evaluated are as follows:
|
||
|
||
|
||
1. permission "w" to each attribute being added to object
|
||
|
||
If this permission is not granted to such an
|
||
attribute, then the operation MUST fail. In this
|
||
case, if discloseOnError is not granted to the entry
|
||
then "no such object" error is returned; if
|
||
discloseOnError is granted to the entry and a
|
||
duplicate attribute value is being added then
|
||
"attribute value already exists" error is returned; if
|
||
discloseOnError is granted to the entry and no
|
||
duplicate value is being added then an "insufficient
|
||
access" error is returned.
|
||
|
||
2. permission "o" to each attribute for which a value is
|
||
being deleted from object
|
||
|
||
If this permission is not granted to such an attribute
|
||
then the operation MUST fail. In this case, if
|
||
discloseOnError is not granted to the entry then "no
|
||
such object" error is returned; if discloseOnError is
|
||
granted to the entry and the attribute or one of the
|
||
values to be deleted does not exist then a "no such
|
||
attribute or value" error is returned; if
|
||
discloseOnError is granted to the entry and the
|
||
attribute and all values specified to be deleted exist
|
||
then an "insufficient access" error is returned.
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 21]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
3. permissions "o" and "w" to each attribute being
|
||
replaced in object
|
||
|
||
If one of these these permissions is not granted to
|
||
such an attribute then the operation MUST fail. In
|
||
this case, if discloseOnError is not granted to the
|
||
entry then a "no such object" error is returned; if
|
||
discloseOnError is granted to the entry then
|
||
"insufficient access" error is returned.
|
||
|
||
|
||
5.4 Add Operation
|
||
|
||
Recall that the parameters of the Add operation per RFC2251
|
||
[LDAPv3] Section 4.7 are:
|
||
|
||
AddRequest ::= [APPLICATION 8] SEQUENCE {
|
||
entry LDAPDN,
|
||
attributes AttributeList }
|
||
|
||
|
||
AttributeList ::= SEQUENCE OF SEQUENCE {
|
||
type AttributeDescription,
|
||
vals SET OF AttributeValue }
|
||
|
||
Then the permissions required by authzID that need to be
|
||
evaluated are as follows:
|
||
|
||
permission "a" to the parent of entry
|
||
|
||
The access rights required for the creation of a root
|
||
entry in the Directory are beyond the scope of this
|
||
document. They will be vendor specific.
|
||
|
||
1. permission "m" to the parent of entry for each
|
||
attribute being added to entry
|
||
|
||
If any of these permissions are not granted then the
|
||
operation MUST fail. In this case if discloseOnError is on
|
||
and the entry to be added does not already exist then
|
||
"insufficient access" is returned. If it does exist then
|
||
"Entry already exists" is returned. If discloseOnError is
|
||
off then "No such object" is returned (meaning the parent
|
||
object).
|
||
|
||
If they are all granted then the operation MAY proceed.
|
||
|
||
Note: We require "m" permission to each attribute to prevent
|
||
an entry from aquiring "unintended" rights (via group or
|
||
role membership), to stop a "rogue" ACI being added that
|
||
would prevent even admins deleting the entry and general
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 22]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
consistency with the MODIFY operation.
|
||
|
||
Note: The access rights required for the creation of the
|
||
first entry in the directory are beyond the scope of this
|
||
document.
|
||
|
||
|
||
5.5 Delete Operation
|
||
|
||
Recall that the parameters of the Delete operation per
|
||
RFC2251 [LDAPv3] Section 4.10 are:
|
||
|
||
DelRequest ::= [APPLICATION 10] LDAPDN
|
||
|
||
Then the permissions required by authzID that need to be
|
||
evaluated are as follows:
|
||
|
||
|
||
1. permission "d" to the entry in the Delete request
|
||
|
||
If this permission is not granted, then the operation MUST
|
||
fail. In this case if discloseOnError is on and the entry
|
||
to be deleted exists then "insufficient access" is returned.
|
||
If it does not exist then "No such Object" is returned. If
|
||
discloseOnError is off then "No such object" is returned
|
||
(meaning the parent object).
|
||
|
||
If this permission is granted, then the operation MAY
|
||
proceed.
|
||
|
||
Note: One could also require the "o" permission to be
|
||
granted to allow the operation to proceed, but customer
|
||
experience has shown that the requirement of the additional
|
||
permission is not useful nor expected, and X.500 requires
|
||
only the "d" permission.
|
||
|
||
|
||
5.6 Modify DN Operation
|
||
|
||
Recall that the parameters of the Modify DN operation per
|
||
RFC2251 [LDAPv3] Section 4.6 are:
|
||
|
||
ModifyDNRequest ::= [APPLICATION 12] SEQUENCE {
|
||
entry LDAPDN,
|
||
newrdn RelativeLDAPDN,
|
||
deleteoldrdn BOOLEAN,
|
||
newSuperior [0] LDAPDN OPTIONAL }
|
||
|
||
Then the permissions required by authzID that need to be
|
||
evaluated are as follows:
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 23]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
1. If newSuperior is not present (ie. only the RDN is
|
||
being renamed) then permission "n" to entry is
|
||
required.
|
||
|
||
2. If newSuperior is present then permission "e" to entry
|
||
and permission "i" to newSuperior are required.
|
||
|
||
If any of these permissions are not granted then the
|
||
operation MUST fail. In this case, if discloseOnError is on
|
||
then an "insufficient access error" is returned. Otherwise,
|
||
"No such object" is returned.
|
||
|
||
If they are all granted then the operation MAY proceed.
|
||
|
||
Note A: We do not require any additional permissions in the
|
||
case where deleteoldrdn is TRUE.
|
||
|
||
Note B: These permissions allow the naming attribute of an
|
||
entry (or entries) to be changed even though "o" and "w"
|
||
permissions are not available on the entry. Distinguishing
|
||
the permissions like this allows us to grant permissions for
|
||
the ModifyDN operation, but not the Modify operation and
|
||
vice versa.
|
||
|
||
|
||
5.7 Compare Operation
|
||
|
||
Recall that the parameters of the Compare operation per
|
||
RFC2251 [LDAPv3] Section 4.10 are:
|
||
|
||
CompareRequest ::= [APPLICATION 14] SEQUENCE {
|
||
entry LDAPDN,
|
||
ava AttributeValueAssertion }
|
||
|
||
Then the permissions required by authzID that need to be
|
||
evaluated are as follows:
|
||
|
||
|
||
1. permission "c" to the attribute in entry on which the
|
||
comparison is being made.
|
||
|
||
If any of these permissions are not granted then the
|
||
operation MUST fail. In this case, if discloseOnError is on
|
||
then an "insufficient access error" is returned. Otherwise,
|
||
"No such object" is returned.
|
||
|
||
If they are all granted then the operation MAY proceed.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 24]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
5.8 Abandon Operation
|
||
|
||
Recall that the parameters of the Abandon operation per
|
||
RFC2251 [LDAPv3] Section 4.6 are:
|
||
|
||
AbandonRequest ::= [APPLICATION 16] MessageID
|
||
|
||
authzID always has the right to send an Abandon Operation
|
||
for an operation he previously initiated.
|
||
|
||
|
||
5.9 Extended Operation
|
||
|
||
Recall that the parameters of the Extended operation per
|
||
RFC2251 [LDA{v3] Section 4.12 are:
|
||
|
||
ExtendedRequest ::= [APPLICATION 23] SEQUENCE {
|
||
requestName [0] LDAPOID,
|
||
requestValue [1] OCTET STRING OPTIONAL }
|
||
|
||
The access required for an Extended Operation is beyond the
|
||
scope of this document. The required access will normally
|
||
be defined by the implementor of the extended request.
|
||
|
||
|
||
|
||
6. Required Permissions for Handling Aliases and References
|
||
|
||
|
||
Use of aliases and referrals are part of LDAPv3. However,
|
||
neither is particularly well-defined. Alias
|
||
objects/attributes are defined in RFC 2256 as derived from
|
||
X.500, but LDAPv3 does not explicitly define its semantics
|
||
or behavior. X.500 does define alias semantics and behavior
|
||
with respect to access control; we define its behavior in
|
||
LDAPv3 based on the X.511, section 7.11.1. Referrals and
|
||
knowledge information are still under design in LDAPv3; they
|
||
are defined in X.500, however, X.500 punts on their
|
||
semantics and behavior with respect to access control. We
|
||
define their semantics and behavior in LDAPv3 in terms that
|
||
should be independent of the future LDAPv3 definition of
|
||
referrals and knowledge information.
|
||
|
||
|
||
6.1 ACI Distribution
|
||
|
||
Currently there is no LDAP standard defining how to
|
||
distribute directory data between LDAP servers. Consequently
|
||
this draft cannot fully specify the behavior of the Access
|
||
Control Model in a distributed environment. The case of
|
||
distribution via referrals is treated in the "Referrals"
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 25]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
section below. In the case of chaining (where one LDAP
|
||
server forwards a request to another on behalf of a client)
|
||
then it is server specific how the access control model
|
||
behaves in this environment. Similarly it is server specific
|
||
how the server determines whether the chaining of an
|
||
operation is permitted in the first place. For example, the
|
||
implementation may choose to regard the local naming context
|
||
and the remote subordinate naming context as seperate Access
|
||
Control Specific Areas, or it may regard the DIT as one
|
||
Access Control Specific Area and implement mechanisms to
|
||
propagate access control information between the two
|
||
servers. The behavior of the Access Control Model in
|
||
distributed environments such as these is beyond the scope
|
||
of this draft.
|
||
|
||
|
||
6.2 Aliases
|
||
|
||
There are two things to protect with respect to aliases:
|
||
the real name of the aliased object and the location of the
|
||
server holding it.
|
||
|
||
If alias de-referencing is required in the process of
|
||
locating a target entry, no specifc permissions are
|
||
necessary for alias de-referencing to take place. Access
|
||
control is enforced at the object pointed to by the alias.
|
||
|
||
If alias de-referencing would result in a
|
||
continuationReference (e.g. from a search operation), then
|
||
browse permission is required to the alias entry and read
|
||
permission is required to the 'aliasedObjectName' attribute.
|
||
Requiring these permission closes the hole of discovery.
|
||
|
||
|
||
6.3 Referrals
|
||
|
||
If a referral is to be followed, no specifc permissions are
|
||
necessary for the ldap client to follow the referral. Access
|
||
control is enforced at the referenced object. If a referral
|
||
is returned, then browse is required on the entry and read
|
||
permission is required to the attribute containing the
|
||
referral (we cannot name this attribute exactly today
|
||
because there are no RFCs on this - only drafts). If the
|
||
server implements a default referral, then no special
|
||
permissions are required to read and return that referral.
|
||
Requiring these permissions closes the hole of discovery.
|
||
In the default case, it is assumed that a default referral
|
||
is public.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 26]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
7. Controlling Access to Access Control Information
|
||
|
||
The ldapACI attribute is used to specify control for who has
|
||
permission to set/change access control information
|
||
(ldapACI). The ldapACI attribute/OID is just another
|
||
attribute described with a scope, set of rights and
|
||
permissions, and subject as a value of the ldapACI
|
||
attribute. (See the example in the "ACI Examples" section).
|
||
|
||
If the policy for controlling the ldapACI attribute is not
|
||
specified for any object in the tree, behavior is
|
||
implementation defined. For instance, if no object anywhere
|
||
in the tree defines the access for ldapACI within the
|
||
ldapACI attribute, then the server could simply assert that
|
||
the 'root DN' is considered the policy owner (controller for
|
||
controlling access control) for all objects.
|
||
|
||
|
||
|
||
8. ACI Examples
|
||
|
||
Note that in the examples, the form "OID.<attrname>" refers
|
||
to the OID in dotted decimal form for the attribute
|
||
<attrname>. This shorthand notation is used only for the
|
||
examples. In implementation, the dotted decimal form of the
|
||
OID is used.
|
||
|
||
|
||
8.1 Attribute Definition
|
||
|
||
The following examples show the access required to control
|
||
access to the ldapACI attribute. The first example shows
|
||
controlling the access control on an individual entry and
|
||
its attributes. The second example shows controlling the
|
||
access control on a subtree.
|
||
|
||
ldapACI: entry#grant:r,w#
|
||
OID.ldapACI#authnLevel:any:role:cn=aciAdmin
|
||
|
||
ldapACI: subtree#grant:r,w#
|
||
OID.ldapACI#authnLevel:any:role:cn=aciAdmin
|
||
|
||
The next example shows a ldapACI attribute where a group
|
||
"cn=Dept XYZ, c=US" is being given permissions to read,
|
||
search, and compare attribute attr1. The permission applies
|
||
to the entire subtree below the node containing this ACI.
|
||
Authentication of a specified type is not required.
|
||
|
||
ldapACI:subtree#grant;r,s,c#
|
||
OID.attr1#group:cn=Dept XYZ,c=US
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 27]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
The next example shows an ACI attribute where a role
|
||
"cn=SysAdmins,o=Company" is being given permissions to add
|
||
objects below this node and read, search, and compare
|
||
attributes attr2 and attr3. The permission applies to the
|
||
entire subtree below the node containing this ACI.
|
||
|
||
ldapACI: subtree#grant:a#
|
||
[entry]#role:cn=SysAdmins,o=Company
|
||
|
||
ldapACI: subtree#grant:r,s,c#
|
||
OID.attr2#role:cn=SysAdmins,o=Company
|
||
|
||
ldapACI: subtree#grant:r,s,c#
|
||
OID.attr3#role:cn=SysAdmins,o=Company
|
||
|
||
|
||
8.2 Modifying the ldapACI Values
|
||
|
||
Modify-Replace works as defined in the ldap operation
|
||
modify. If the attribute value does not exist, create the
|
||
value. If the attribute does exist, replace the value. If
|
||
the ldapACI value is replaced, all ldapACI values are
|
||
replaced.
|
||
|
||
A given ldapACI for an entry:
|
||
|
||
ldapACI: subtree#deny:r,w#[all]#group:cn=Dept ABC
|
||
|
||
ldapACI: subtree#grant:r#OID.attr1#group:cn=Dept XYZ
|
||
|
||
perform the following change:
|
||
|
||
dn: cn=someEntry
|
||
changetype: modify
|
||
replace: ldapACI
|
||
ldapACI: subtree#grant:r,w#[all]#group:cn=Dept LMN
|
||
|
||
The resulting ACI is:
|
||
|
||
ldapACI: subtree#grant:r,w#[all]#group:cn=Dept LMN
|
||
|
||
( ldapACI values for Dept XYZ and ABC are lost through the
|
||
replace )
|
||
|
||
During an ldapmodify-add, if the ACI does not exist, the
|
||
create the ACI with the specific ldapACI value(s). If the
|
||
ACI does exist, then add the specified values to the given
|
||
ldapACI. For example a given ACI:
|
||
|
||
ldapACI: subtree#grant:r,w#[all]#group:cn=Dept XYZ
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 28]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
with a modification:
|
||
|
||
dn: cn=someEntry
|
||
changetype: modify
|
||
add: ldapACI
|
||
ldapACI: subtree#grant:r#OID.attr1#group:cn=Dept XYZ
|
||
|
||
would yield an multi-valued ACI of:
|
||
|
||
ldapACI: subtree#grant:r,w#[all]#group:cn=Dept XYZ
|
||
|
||
ldapACI: subtree#grant:r#OID.attr1#group:cn=Dept XYZ
|
||
|
||
To delete a particular ACI value, use the regular ldapmodify
|
||
- delete syntax
|
||
|
||
Given an ACI of:
|
||
|
||
ldapACI: subtree#grant:r,w#[all]#group:cn=Dept XYZ
|
||
ldapACI: subtree#grant:r#OID.attr1#group:cn=Dept XYZ
|
||
|
||
dn: cn = some Entry
|
||
changetype: modify
|
||
delete: ldapACI
|
||
ldapACI: subtree#grant:r#OID.attr1#group:cn=Dept XYZ
|
||
|
||
would yield a remaining ACI on the server of
|
||
|
||
ldapACI: subtree#grant:r,w#[all]#group:cn=Dept XYZ
|
||
|
||
The attributes which are defined for access control
|
||
interchange may be used in all LDAP operations.
|
||
|
||
Within the ldapmodify-delete operation, the entire acl may
|
||
be deleted by specifying
|
||
|
||
dn: cn = some Entry
|
||
changetype: modify
|
||
delete: ldapACI
|
||
|
||
In this case, the entry would then inherit its ACI from some
|
||
other node in the tree depending on the server inheritance
|
||
model.
|
||
|
||
Similarly, if all values of ldapACI are deleted, then the
|
||
access control information for that entry is defined by that
|
||
implementation's inheritance model.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 29]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
8.3 Evaluation
|
||
|
||
These examples assume that the ldapACI entries listed in
|
||
each example are the only ACI which applies to the entry in
|
||
question; if backing-store ACI also exists, the effective
|
||
policy may be different from that listed in each example.
|
||
See section 10 for a discussion of the semantics of ldapACI
|
||
entries when backing-store ACI administration is also used.
|
||
|
||
Assume cn=jsmith is a member of group cn=G1. Assume
|
||
cn=jsmith is a member of group cn=G2.
|
||
|
||
Example #1
|
||
dn: o=XYZ, c=US
|
||
ldapACI: subtree#grant:r#attr1
|
||
#authzID-dn:cn=jsmith,ou=ABC,o=XYZ,c=US
|
||
ldapACI: subtree#grant:w#attr1
|
||
#group:cn=G1,ou=ABC,o=XYZ,c=US
|
||
|
||
What rights does cn=jsmith have to attr1 of o=XYZ,c=US?
|
||
Read (r) access; authzID is higher precedence than
|
||
group.
|
||
|
||
|
||
Example #2
|
||
dn: o=XYZ, c=US
|
||
ldapACI: subtree#grant:r#attr2
|
||
#group:cn=G1,ou=ABC,o=XYZ,c=US
|
||
ldapACI: subtree#grant:w#attr2
|
||
#group:cn=G2,ou=ABC,o=XYZ,c=US
|
||
|
||
What rights does cn=jsmith have to attr2 of o=XYZ,c=US?
|
||
Read-write (r,w) access; ACI is combined because both
|
||
subjects (group) have same precedence.
|
||
|
||
|
||
Example #3
|
||
dn: o=XYZ, c=US
|
||
ldapACI: subtree#grant:r,w#attr3
|
||
#group:cn=G1,ou=ABC,o=XYZ,c=US
|
||
ldapACI: subtree#deny:w#attr3#group:cn=G2,ou=ABC,o=XYZ,c=US
|
||
|
||
What rights does cn=jsmith have to attr3 of o=XYZ, c=US?
|
||
Read access; write is denied (deny has precedence over
|
||
grant).
|
||
|
||
|
||
Example #4
|
||
dn: o=XYZ, c=US
|
||
ldapACI: subtree#grant:w#attr4
|
||
#authzID-dn:cn=jsmith,ou=ABC,o=XYZ,c=US
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 30]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
ldapACI: subtree#grant:r#attr4#subtree:ou=ABC,ou=XYZ,c=US
|
||
|
||
What rights does cn=jsmith have to attr4 of o=XYZ, c=US?
|
||
Write (w); rights given to an authzID take precedence
|
||
over those given to a subtree.
|
||
|
||
|
||
Example #5
|
||
dn: o=XYZ, c=US
|
||
ldapACI: subtree#grant:m#OID.attr5
|
||
#authzID-dn:cn=jsmith,o=ABC,c=US
|
||
ldapACI: subtree#grant:m#OID.cn
|
||
#authzID-dn:cn=jsmith,o=ABC,c=US
|
||
ldapACI: subtree#grant:m#OID.sn
|
||
#authzID-dn:cn=jsmith,o=ABC,c=US
|
||
ldapACI: subtree#grant:a#[entry]
|
||
#authzID-dn:#cn=jsmith,o=ABC,c=US
|
||
|
||
What rights does cn=jsmith have to o=XYZ, c=US?
|
||
Make(m) on attributes attr5, cn, and sn and Add(a)
|
||
on the entry. These are the minimal yet sufficient
|
||
permissions to create a new object,
|
||
cn=New, o=XYZ, c=US with values for the attr5, cn,
|
||
and sn attributes. This example illustrates how the
|
||
"m" permission can be used to limit the attributes
|
||
that can be created on a new entry.
|
||
|
||
Example #6
|
||
dn: c=US
|
||
ldapACI: subtree#grant:m#[all]#subtree:c=US
|
||
dn: o=XYZ, c=US
|
||
ldapACI: subtree#grant:a#[entry]#
|
||
authzID-dn:cn=jsmith,o=ABC,c=US
|
||
|
||
What rights does cn=jsmith have to o=XYZ, c=US?
|
||
Make(m) on attributes all attributes and Add(a) on the
|
||
entry. These are sufficient permissions to create a new
|
||
object, cn=New, o=XYZ, c=US with values any desired
|
||
attributes. For administrators who do not wish to limit
|
||
the attributes that can be created on new entries, this
|
||
example shows how a single ldapACI at the top of the
|
||
domain solves the problem.
|
||
|
||
|
||
|
||
9. Operational Semantics of Access Control Operations
|
||
|
||
The semantics of access control operations described in this
|
||
document are defined operationally in terms of "histories".
|
||
A history is a sequence of actions (x1, x2, ..., xN).
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 31]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
9.1 Types of actions
|
||
|
||
We consider five types of actions:
|
||
|
||
- LDAP Access Control Policy Update actions: invocations
|
||
of ldap modify when used to add, delete, or replace the
|
||
aci attribute; invocations of ldap add when used to add
|
||
an entry with an aci attribute. A LDAP Access Control
|
||
Policy Update action may replace the policy (by
|
||
completely replacing the aci attribute with new policy
|
||
information) or it may grant or deny specific rights
|
||
while leaving others unaffected.
|
||
|
||
- LDAP Access Control Policy Query operations:
|
||
invocations of ldap search when used to retrieve the
|
||
aci attribute; invocations of ldap search with the
|
||
getEffectiveRightsRequest control; invocations of the
|
||
ldapGetEffectiveRightsRequest extended operation.
|
||
|
||
- Datastore Access Control Policy Update Actions: any
|
||
operation implemented by the server which LDAP is using
|
||
as its datastore which changes the access policy
|
||
enforced with respect to attempts to access LDAP
|
||
directory entries and their attributes.
|
||
|
||
- LDAP Access Request operations: invocations of LDAP
|
||
entry or attribute access operations (Read, Update,
|
||
Search, Compare, etc...).
|
||
|
||
- Other operations: anything else, including Datastore
|
||
operations which do not change the access policy
|
||
enforced by the server.
|
||
|
||
|
||
9.2 Semantics of Histories
|
||
|
||
The semantics of histories are defined as follows:
|
||
|
||
- LDAP Update (Replace), LDAP Query
|
||
|
||
The Query will show that the subject has all rights
|
||
granted by the Update operation, and no rights not
|
||
granted by the Update operation.
|
||
|
||
- LDAP Update (Grant), LDAP Query
|
||
|
||
The Query will show that the subject has all rights
|
||
granted by the Update operation. The Query may show
|
||
that the subject also has other rights not granted by
|
||
the Update operation, depending on the policy in force
|
||
before the Update operation.
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 32]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
- LDAP Update (Deny), LDAP Query
|
||
|
||
The Query will show that the subject does not have any
|
||
right denied by the Update operation. The Query may
|
||
show that the subject has rights not denied by the
|
||
Update operation, depending on the policy in force
|
||
before the Update operation.
|
||
|
||
- LDAP Update (Replace), LDAP Access Request
|
||
|
||
The Request will succeed if it requires only rights
|
||
granted to the requesting subject by the Update
|
||
operation. The Request will fail if it requires any
|
||
right not granted by the Update operation.
|
||
|
||
- LDAP Update (Grant), LDAP Access Request
|
||
|
||
The Request will succeed if it requires only rights
|
||
granted to the requesting subject by the Update
|
||
operation. The Request may succeed if it requires
|
||
rights not granted by the Update operation, depending
|
||
on the policy in force before the Update operation.
|
||
|
||
- LDAP Update (Deny), LDAP Access Request
|
||
|
||
The Request will fail if it requires any right denied
|
||
to the requesting subject by the Update operation. If
|
||
the Request requires only rights which were not denied
|
||
by the Update operation, it may succeed, depending on
|
||
the policy in force before the Update operation.
|
||
|
||
- LDAP Update (Replace), Other, LDAP Query
|
||
|
||
The Query will show that the subject has all rights
|
||
granted by the Update operation, and no rights not
|
||
granted by the Update operation.
|
||
|
||
- LDAP Update (Grant), Other, LDAP Query
|
||
|
||
The Query will show that the subject has all rights
|
||
granted by the Update operation. The Query may show
|
||
that the subject also has other rights not granted by
|
||
the Update operation, depending on the policy in force
|
||
before the Update operation.
|
||
|
||
- LDAP Update (Deny), Other, LDAP Query
|
||
|
||
The Query will show that the subject does not have any
|
||
right denied by the Update operation. The Query may
|
||
show that the subject has rights not denied by the
|
||
Update operation, depending on the policy in force
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 33]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
before the Update operation.
|
||
|
||
- LDAP Update (Replace), Other, LDAP Access Request
|
||
|
||
The Request will succeed if it requires only rights
|
||
granted to the requesting subject by the Update
|
||
operation. The Request will fail if it requires any
|
||
right not granted by the Update operation.
|
||
|
||
- LDAP Update (Grant), Other, LDAP Access Request
|
||
|
||
The Request will succeed if it requires only rights
|
||
granted to the requesting subject by the Update
|
||
operation. The Request may succeed if it requires
|
||
rights not granted by the Update operation, depending
|
||
on the policy in force before the Update operation.
|
||
|
||
- LDAP Update (Deny), Other, LDAP Access Request
|
||
|
||
The Request will fail if it requires any right denied
|
||
to the requesting subject by the Update operation. If
|
||
the Request requires only rights which were not denied
|
||
by the Update operation, it may succeed, depending on
|
||
the policy in force before the Update operation.
|
||
|
||
- LDAP Update (Replace), Datastore Policy Update, LDAP
|
||
Query
|
||
|
||
The result of the Query is not defined.
|
||
|
||
- LDAP Update (Grant), Datastore Policy Update, LDAP
|
||
Query
|
||
|
||
The result of the Query is not defined.
|
||
|
||
- LDAP Update (Deny), Datastore Policy Update, LDAP Query
|
||
|
||
The result of the Query is not defined.
|
||
|
||
- LDAP Update (Replace), Datastore Policy Update, LDAP
|
||
Access Request
|
||
|
||
The result of the Access Request is not defined.
|
||
|
||
- LDAP Update (Grant), Datastore Policy Update, LDAP
|
||
Access Request
|
||
|
||
The result of the Access Request is not defined.
|
||
|
||
- LDAP Update (Deny), Datastore Policy Update, LDAP
|
||
Access Request
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 34]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
The result of the Access Request is not defined.
|
||
|
||
|
||
|
||
10. Access Control Parameters for LDAP Controls & Extended
|
||
Operations
|
||
|
||
This section defines the parameters used in the access
|
||
control LDAP controls and extended operations in this
|
||
document.
|
||
|
||
targetDN specifies the initial directory entry in DN syntax
|
||
on which the control or extended operation is performed.
|
||
|
||
whichObject specifies whether the access control information
|
||
(in the get effective rights control) which is retrieved is
|
||
for the target directory entry (ENTRY) or the target
|
||
directory entry and its subtree (SUBTREE).
|
||
|
||
rights in the get effective rights control or extended
|
||
operation response is of the form specified in the BNF for
|
||
<rights>.
|
||
|
||
subject is a LDAP string that defines the subject. Access
|
||
control is get/set on a subject. The syntax of the subject
|
||
is the same as the subject field in the BNF.
|
||
|
||
|
||
|
||
11. Access Control Information (ACI) Controls
|
||
|
||
The access control information controls provide a way to
|
||
manipulate access control information in conjunction with a
|
||
LDAP operation. One LDAP control is defined. This control
|
||
allows access control information to be retrieved while
|
||
manipulating other directory information for that entry.
|
||
The control is:
|
||
|
||
- getEffectiveRights to obtain the effective rights for a
|
||
given directory entry(s) for a given subject during a
|
||
ldap_search operation
|
||
|
||
11.1 getEffectiveRights Control
|
||
|
||
|
||
11.1.1 Request Control
|
||
|
||
This control may only be included in the ldap_search
|
||
message as part of the controls field of the
|
||
LDAPMessage, as defined in Section 4.1.12 of [LDAPv3].
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 35]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
The controlType is set to <OID to be assigned>. The
|
||
criticality MAY be either TRUE or FALSE (where absent is
|
||
also equivalent to FALSE) at the client's option. The
|
||
controlValue is an OCTET STRING, whose value is the BER
|
||
encoding of a value of the following SEQUENCE:
|
||
|
||
getEffectiveRightsRequest ::= SEQUENCE {
|
||
effectiveRightsRequest SEQUENCE OF SEQUENCE {
|
||
whichObject ENUMERATED {
|
||
LDAP_ENTRY (1),
|
||
LDAP_SUBTREE (2)
|
||
},
|
||
subject <see <subject > in BNF> | "*"
|
||
}
|
||
}
|
||
|
||
The effectiveRightsRequest is a set of sequences that state
|
||
the whichObject (entry or entry plus subtree) and specifics
|
||
of the control request to be performed. A "*" in the subject
|
||
field specifies that all DN types are to be used in
|
||
returning the effective rights. This control is applied to
|
||
the filter and scope set by the ldap_search operation, i.e.
|
||
base, one-level, subtree. So the attributes/values returned
|
||
are defined by the ldap_search operation.
|
||
|
||
11.1.2 Response Control
|
||
|
||
This control is included in the ldap_search_response message
|
||
as part of the controls field of the LDAPMessage, as defined
|
||
in Section 4.1.12 of [LDAPv3].
|
||
|
||
The controlType is set to <OID to be assigned>. There is no
|
||
need to set the criticality on the response. The
|
||
controlValue is an OCTET STRING, whose value is the BER
|
||
encoding of a value of the following SEQUENCE:
|
||
|
||
getEffectiveRightsResponse ::= {
|
||
result ENUMERATED {
|
||
success (0),
|
||
operationsError (1),
|
||
unavailableCriticalExtension (12),
|
||
noSuchAttribute (16),
|
||
undefinedAttributeType (17),
|
||
invalidAttributeSyntax (21),
|
||
insufficientRights (50),
|
||
unavailable (52),
|
||
unwillingToPerform (53),
|
||
other (80)
|
||
}
|
||
}
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 36]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
The effective rights returned are returned with each entry
|
||
returned by the search result. The control response for
|
||
ldap_search is:
|
||
|
||
PartialEffectiveRightsList ::= SEQUENCE OF SEQUENCE {
|
||
rights <see <rights> in BNF>,
|
||
whichObject ENUMERATED {
|
||
LDAP_ENTRY (1),
|
||
LDAP_SUBTREE (2)
|
||
},
|
||
subject < see <subject> in BNF >
|
||
}
|
||
|
||
Although this extends the search operation, there are no
|
||
incompatibilities between versions. LDAPv2 cannot send a
|
||
control, hence the above structure cannot be returned to a
|
||
LDAPv2 client. A LDAPv3 client cannot send this request to
|
||
a LDAPv2 server. A LDAPv3 server not supporting this
|
||
control cannot return the additional data.
|
||
|
||
11.1.3 Client-Server Interaction
|
||
|
||
The getEffectiveRightsRequest control requests the rights
|
||
that MUST be in effect for requested directory
|
||
entry/attribute based on the subject DN. The server that
|
||
consumes the search operation looks up the rights for the
|
||
returned directory information based on the subject DN and
|
||
returns that rights information.
|
||
|
||
There are six possible scenarios that may occur as a result
|
||
of the getEffectiveRights control being included on the
|
||
search request:
|
||
|
||
|
||
1. If the server does not support this control and the
|
||
client specified TRUE for the control's criticality
|
||
field, then the server MUST return
|
||
unavailableCriticalExtension as a return code in the
|
||
searchResponse message and not send back any other
|
||
results. This behavior is specified in section 4.1.12
|
||
of [LDAPv3].
|
||
|
||
2. If the server does not support this control and the
|
||
client specified FALSE for the control's criticality
|
||
field, then the server MUST ignore the control and
|
||
process the request as if it were not present. This
|
||
behavior is specified in section 4.1.12 of [LDAPv3].
|
||
|
||
3. If the server supports this control but for some
|
||
reason such as cannot process specified family and the
|
||
client specified TRUE for the control's criticality
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 37]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
field, then the server SHOULD do the following: return
|
||
unavailableCriticalExtension as a return code in the
|
||
searchResult message.
|
||
|
||
4. If the server supports this control but for some
|
||
reason such as cannot process specified family and the
|
||
client specified FALSE for the control's criticality
|
||
field, then the server should process as 'no rights
|
||
returned for that family' and include the result
|
||
Unavailable in the getEffectiveRightsResponse control
|
||
in the searchResult message.
|
||
|
||
5. If the server supports this control and can return the
|
||
rights per the family information, then it should
|
||
include the getEffectiveRightsResponse control in the
|
||
searchResult message with a result of success.
|
||
|
||
6. If the search request failed for any other reason,
|
||
then the server SHOULD omit the
|
||
getEffectiveRightsResponse control from the
|
||
searchResult message.
|
||
|
||
The client application is assured that the correct rights
|
||
are returned for scope of the search operation if and only
|
||
if the getEffectiveRightsResponse control returns the
|
||
rights. If the server omits the getEffectiveRightsResponse
|
||
control from the searchResult message, the client SHOULD
|
||
assume that the control was ignored by the server.
|
||
|
||
The getEffectiveRightsResponse control, if included by the
|
||
server in the searchResponse message, should have the
|
||
getEffectiveRightsResult set to either success if the rights
|
||
are returned or set to the appropriate error code as to why
|
||
the rights could not be returned.
|
||
|
||
The server may not be able to return a right because it may
|
||
not exist in that directory object's attribute; in this
|
||
case, the rights request is ignored with success.
|
||
|
||
|
||
12. Access Control Extended Operation
|
||
|
||
An extended operation, get effective rights, is defined to
|
||
obtain the effective rights for a given directory entry for
|
||
a given subject. This operation may help with the
|
||
management of access control information independent of
|
||
manipulating other directory information.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 38]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
12.1 LDAP Get Effective Rights Operation
|
||
|
||
ldapGetEffectiveRightsRequest ::= [APPLICATION 23] SEQUENCE
|
||
{
|
||
requestName [0] <OID to be assigned>,
|
||
requestValue [1] OCTET STRING OPTIONAL }
|
||
|
||
where
|
||
|
||
requestValue ::= SEQUENCE {
|
||
targetDN LDAPDN,
|
||
updates SEQUENCE OF SEQUENCE {
|
||
whichObject ENUMERATED {
|
||
LDAP_ENTRY (1),
|
||
LDAP_SUBTREE (2)
|
||
},
|
||
attr SEQUENCE {
|
||
attr <see <attr> in BNF >
|
||
},
|
||
subject < see <subject> in BNF > | "*"
|
||
}
|
||
}
|
||
|
||
|
||
The requestName is a dotted-decimal representation of the
|
||
OBJECT IDENTIFIER corresponding to the request. The
|
||
requestValue is information in a form defined by that
|
||
request, encapsulated inside an OCTET STRING.
|
||
|
||
The server will respond to this with an LDAPMessage
|
||
containing the ExtendedResponse which is a rights list.
|
||
|
||
ldapGetEffectiveRightsResponse ::= [APPLICATION 24] SEQUENCE
|
||
{
|
||
COMPONENTS OF LDAPResult,
|
||
responseName [10] <OID to be assigned> OPTIONAL,
|
||
effectiveRights [11] OCTET STRING OPTIONAL }
|
||
|
||
where
|
||
|
||
effectiveRights ::= SEQUENCE OF SEQUENCE {
|
||
rights <see <rights> in BNF>,
|
||
whichObject ENUMERATED {
|
||
LDAP_ENTRY (1),
|
||
LDAP_SUBTREE (2)
|
||
},
|
||
subject < see <subject> in BNF >
|
||
}
|
||
|
||
If the server does not recognize the request name, it MUST
|
||
return only the response fields from LDAPResult, containing
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 39]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
the protocolError result code.
|
||
|
||
|
||
|
||
13. Security Considerations
|
||
|
||
This document proposes protocol elements for transmission of
|
||
security policy information. Security considerations are
|
||
discussed throughout this draft. Because subject security
|
||
attribute information is used to evaluate decision requests,
|
||
it is security-sensitive information and must be protected
|
||
against unauthorized modification whenever it is stored or
|
||
transmitted.
|
||
|
||
Interaction of access control with other directory functions
|
||
(other than the ones defined in this document) are not
|
||
defined in this document, but instead in the documents where
|
||
those directory functions are defined. For example, the
|
||
directory replication documents should address the
|
||
interaction of access control with the replication function.
|
||
|
||
|
||
|
||
14. References
|
||
|
||
[LDAPv3] M. Wahl, T. Howes, S. Kille, "Lightweight Directory
|
||
Access Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[ECMA] ECMA, "Security in Open Systems: A Security
|
||
Framework" ECMA TR/46, July 1988.
|
||
|
||
[REQTS] Stokes, Byrne, Blakley, "Access Control Requirements
|
||
for LDAP", RFC 2820, May 2000.
|
||
|
||
[ATTR] M.Wahl, A, Coulbeck, T. Howes, S. Kille, "Lightweight
|
||
Directory Access Protocol (v3)": Attribute Syntax
|
||
Definitions, RFC 2252, December 1997.
|
||
|
||
[UTF] M. Wahl, S. Kille, "Lightweight Directory Access
|
||
Protocol (v3)": A UTF-8 String Representation of
|
||
Distinguished Names", RFC 2253, December 1997.
|
||
|
||
[Bradner97] Bradner, Scott, "Key Words for use in RFCs to
|
||
Indicate Requirement Levels", RFC 2119.
|
||
|
||
[AuthMeth] Wahl, M., Alvestrand, H., Hodges, J. and R.
|
||
Morgan, "Authentication Methods for LDAP", RFC 2829, May
|
||
2000.
|
||
|
||
[ABNF] D. Crocker, P. Overell, "Augmented BNF for Syntax
|
||
Specifications: ABNF", RFC 2234, November 1997.
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 40]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
ACKNOWLEDGEMENT
|
||
|
||
This is to acknowledge the numerous companies and individuals who have
|
||
contributed their valuable help and insights to the development of this
|
||
specification.
|
||
|
||
|
||
AUTHOR(S) ADDRESS
|
||
|
||
Ellen Stokes Bob Blakley
|
||
Tivoli Systems Tivoli Systems
|
||
6300 Bridgepoint Parkway 6300 Bridgepoint Parkway
|
||
Austin, TX 78731 Austin, TX 78731
|
||
USA USA
|
||
mail-to: estokes@tivoli.com mail-to: blakley@tivoli.com
|
||
phone: +1 512 436 9098 phone: +1 512 436 1564
|
||
fax: +1 512 436 1199 fax: +1 512 436 1199
|
||
|
||
|
||
Debbie Rinkevich Robert Byrne
|
||
IBM Sun Microsystems
|
||
11400 Burnet Rd 29 Chemin du Vieux Chene
|
||
Austin, TX 78758 Meylan ZIRST 38240
|
||
USA France
|
||
mail-to: djbrink@us.ibm.com mail-to: rbyrne@france.sun.com
|
||
phone: +1 512 838 1960 phone: +33 (0)4 76 41 42 05
|
||
fax: +1 512 838 8597
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 41]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft Access Control Model 14 July 2000
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, et al Expires 14 January 2001 [Page 42]
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
CONTENTS
|
||
|
||
|
||
1. Introduction....................................... 2
|
||
|
||
2. The LDAPv3 Access Control Model.................... 2
|
||
|
||
3. Access Control Mechanism Attributes................ 5
|
||
3.1 Root DSE Attribute for Access Control
|
||
Mechanism.................................... 5
|
||
3.2 Root DSE Attribute for Control of Disclosing
|
||
Errors....................................... 5
|
||
3.3 Subentry Class Access Control Mechanism...... 6
|
||
|
||
4. The Access Control Information Attribute
|
||
(ldapACI).......................................... 7
|
||
4.1 The BNF...................................... 8
|
||
4.1.1 ACI String Representation 8
|
||
4.1.2 ACI Binary Representation 10
|
||
4.2 The Components of ldapACI Attribute.......... 11
|
||
4.2.1 Scope 11
|
||
4.2.2 Access Rights and Permissions 11
|
||
4.2.3 Attributes 14
|
||
4.2.4 Subjects and Associated
|
||
Authentication 15
|
||
4.3 Grant/Deny Evaluation Rules.................. 15
|
||
|
||
5. Required Permissions for each LDAP Operation....... 17
|
||
5.1 Bind Operation............................... 18
|
||
5.2 Search Operation............................. 18
|
||
5.3 Modify Operation............................. 21
|
||
5.4 Add Operation................................ 22
|
||
5.5 Delete Operation............................. 23
|
||
5.6 Modify DN Operation.......................... 23
|
||
5.7 Compare Operation............................ 24
|
||
5.8 Abandon Operation............................ 25
|
||
5.9 Extended Operation........................... 25
|
||
|
||
6. Required Permissions for Handling Aliases and
|
||
References......................................... 25
|
||
6.1 ACI Distribution............................. 25
|
||
6.2 Aliases...................................... 26
|
||
6.3 Referrals.................................... 26
|
||
|
||
7. Controlling Access to Access Control
|
||
Information........................................ 27
|
||
|
||
8. ACI Examples....................................... 27
|
||
8.1 Attribute Definition......................... 27
|
||
8.2 Modifying the ldapACI Values................. 28
|
||
8.3 Evaluation................................... 30
|
||
|
||
|
||
|
||
- i -
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
9. Operational Semantics of Access Control
|
||
Operations......................................... 31
|
||
9.1 Types of actions............................. 32
|
||
9.2 Semantics of Histories....................... 32
|
||
|
||
10. Access Control Parameters for LDAP Controls &
|
||
Extended Operations................................ 35
|
||
|
||
11. Access Control Information (ACI) Controls.......... 35
|
||
11.1 getEffectiveRights Control................... 35
|
||
11.1.1 Request Control 35
|
||
11.1.2 Response Control 36
|
||
11.1.3 Client-Server Interaction 37
|
||
|
||
12. Access Control Extended Operation.................. 38
|
||
12.1 LDAP Get Effective Rights Operation.......... 39
|
||
|
||
13. Security Considerations............................ 40
|
||
|
||
14. References......................................... 40
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
- ii -
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2000).<2E> All Rights
|
||
Reserved.
|
||
|
||
This document and translations of it may be copied and
|
||
furnished to others, and derivative works that comment on or
|
||
otherwise explain it or assist in its implementation may be
|
||
prepared, copied, published and distributed, in whole or in
|
||
part, without restriction of any kind, provided that the
|
||
above copyright notice and this paragraph are included on
|
||
all such copies and derivative works.<2E> However, this
|
||
document itself may not be modified in any way, such as by
|
||
removing the copyright notice or references to the Internet
|
||
Society or other Internet organizations, except as needed
|
||
for the purpose of developing Internet standards in which
|
||
case the procedures for copyrights defined in the Internet
|
||
Standards process must be followed, or as required to
|
||
translate it into languages other than English.
|
||
|
||
The limited permissions granted above are perpetual and will
|
||
not be revoked by the Internet Society or its successors or
|
||
assigns.
|
||
|
||
This document and the information contained herein is
|
||
provided on an "AS IS" basis and THE INTERNET SOCIETY AND
|
||
THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
|
||
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
|
||
ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
|
||
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
- iii -
|
||
|
||
|
||
|
||
|