mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
3420 lines
140 KiB
Plaintext
3420 lines
140 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group J. Strassner
|
||
Request for Comments: 3703 Intelliden Corporation
|
||
Category: Standards Track B. Moore
|
||
IBM Corporation
|
||
R. Moats
|
||
Lemur Networks, Inc.
|
||
E. Ellesson
|
||
February 2004
|
||
|
||
|
||
Policy Core Lightweight Directory Access Protocol (LDAP) Schema
|
||
|
||
Status of this Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||
|
||
Abstract
|
||
|
||
This document defines a mapping of the Policy Core Information Model
|
||
to a form that can be implemented in a directory that uses
|
||
Lightweight Directory Access Protocol (LDAP) as its access protocol.
|
||
This model defines two hierarchies of object classes: structural
|
||
classes representing information for representing and controlling
|
||
policy data as specified in RFC 3060, and relationship classes that
|
||
indicate how instances of the structural classes are related to each
|
||
other. Classes are also added to the LDAP schema to improve the
|
||
performance of a client's interactions with an LDAP server when the
|
||
client is retrieving large amounts of policy-related information.
|
||
These classes exist only to optimize LDAP retrievals: there are no
|
||
classes in the information model that correspond to them.
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction ................................................. 2
|
||
2. The Policy Core Information Model ............................ 4
|
||
3. Inheritance Hierarchy for the PCLS ........................... 5
|
||
4. General Discussion of Mapping the Information Model to LDAP .. 6
|
||
4.1. Summary of Class and Association Mappings .............. 7
|
||
4.2. Usage of DIT Content and Structure Rules and Name Forms. 9
|
||
4.3. Naming Attributes in the PCLS .......................... 10
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 1]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
4.4. Rule-Specific and Reusable Conditions and Actions ...... 11
|
||
4.5. Location and Retrieval of Policy Objects in the
|
||
Directory .............................................. 16
|
||
4.5.1. Aliases and Other DIT-Optimization Techniques .. 19
|
||
5. Class Definitions ............................................ 19
|
||
5.1. The Abstract Class "pcimPolicy" ........................ 21
|
||
5.2. The Three Policy Group Classes ......................... 22
|
||
5.3. The Three Policy Rule Classes .......................... 23
|
||
5.4. The Class pcimRuleConditionAssociation ................. 30
|
||
5.5. The Class pcimRuleValidityAssociation .................. 32
|
||
5.6. The Class pcimRuleActionAssociation .................... 34
|
||
5.7. The Auxiliary Class pcimConditionAuxClass .............. 36
|
||
5.8. The Auxiliary Class pcimTPCAuxClass .................... 36
|
||
5.9. The Auxiliary Class pcimConditionVendorAuxClass ........ 40
|
||
5.10. The Auxiliary Class pcimActionAuxClass ................. 41
|
||
5.11. The Auxiliary Class pcimActionVendorAuxClass ........... 42
|
||
5.12. The Class pcimPolicyInstance ........................... 43
|
||
5.13. The Auxiliary Class pcimElementAuxClass ................ 44
|
||
5.14. The Three Policy Repository Classes .................... 45
|
||
5.15. The Auxiliary Class pcimSubtreesPtrAuxClass ............ 46
|
||
5.16. The Auxiliary Class pcimGroupContainmentAuxClass ....... 48
|
||
5.17. The Auxiliary Class pcimRuleContainmentAuxClass ........ 49
|
||
6. Extending the Classes Defined in This Document ............... 50
|
||
6.1. Subclassing pcimConditionAuxClass and pcimActionAuxClass 50
|
||
6.2. Using the Vendor Policy Attributes ..................... 50
|
||
6.3. Using Time Validity Periods ............................ 51
|
||
7. Security Considerations ...................................... 51
|
||
8. IANA Considerations .......................................... 53
|
||
8.1. Object Identifiers ..................................... 53
|
||
8.2. Object Identifier Descriptors .......................... 53
|
||
9. Acknowledgments .............................................. 56
|
||
10. Appendix: Constructing the Value of orderedCIMKeys .......... 57
|
||
11. References ................................................... 58
|
||
11.1. Normative References ................................... 58
|
||
11.2. Informative References ................................. 59
|
||
12. Authors' Addresses ........................................... 60
|
||
13. Full Copyright Statement ..................................... 61
|
||
|
||
1. Introduction
|
||
|
||
This document takes as its starting point the object-oriented
|
||
information model for representing information for representing and
|
||
controlling policy data as specified in [1]. Lightweight Directory
|
||
Access Protocol (LDAP) [2] implementers, please note that the use of
|
||
the term "policy" in this document does not refer to the use of the
|
||
term "policy" as defined in X.501 [4]. Rather, the use of the term
|
||
"policy" throughout this document is defined as follows:
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 2]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
Policy is defined as a set of rules to administer, manage, and
|
||
control access to network resources.
|
||
|
||
This work is currently under joint development in the IETF's Policy
|
||
Framework working group and in the Policy working group of the
|
||
Distributed Management Task Force (DMTF). This model defines two
|
||
hierarchies of object classes: structural classes representing policy
|
||
information and control of policies, and relationship classes that
|
||
indicate how instances of the structural classes are related to each
|
||
other. In general, both of these class hierarchies will need to be
|
||
mapped to a particular data store.
|
||
|
||
This document defines the mapping of these information model classes
|
||
to a directory that uses LDAP as its access protocol. Two types of
|
||
mappings are involved:
|
||
|
||
- For the structural classes in the information model, the
|
||
mapping is basically one-for-one: information model classes map
|
||
to LDAP classes, information model properties map to LDAP
|
||
attributes.
|
||
|
||
- For the relationship classes in the information model,
|
||
different mappings are possible. In this document, the Policy
|
||
Core Information Model's (PCIM's) relationship classes and
|
||
their properties are mapped in three ways: to LDAP auxiliary
|
||
classes, to attributes representing distinguished name (DN)
|
||
references, and to superior-subordinate relationships in the
|
||
Directory Information Tree (DIT).
|
||
|
||
Implementations that use an LDAP directory as their policy repository
|
||
and want to implement policy information according to RFC 3060 [1]
|
||
SHALL use the LDAP schema defined in this document, or a schema that
|
||
subclasses from the schema defined in this document. The use of the
|
||
information model defined in reference [1] as the starting point
|
||
enables the inheritance and the relationship class hierarchies to be
|
||
extensible, such that other types of policy repositories, such as
|
||
relational databases, can also use this information.
|
||
|
||
This document fits into the overall framework for representing,
|
||
deploying, and managing policies being developed by the Policy
|
||
Framework Working Group.
|
||
|
||
The LDAP schema described in this document uses the prefix "pcim" to
|
||
identify its classes and attributes. It consists of ten very general
|
||
classes: pcimPolicy (an abstract class), three policy group classes
|
||
(pcimGroup, pcimGroupAuxClass, and pcimGroupInstance), three policy
|
||
rule classes (pcimRule, pcimRuleAuxClass, and pcimRuleInstance), and
|
||
three special auxiliary classes (pcimConditionAuxClass,
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 3]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
pcimTPCAuxClass, and pcimActionAuxClass). (Note that the
|
||
PolicyTimePeriodCondition auxiliary class defined in [1] would
|
||
normally have been named pcimTimePeriodConditionAuxClass, but this
|
||
name is too long for some directories. Therefore, we have
|
||
abbreviated this name to be pcimTPCAuxClass).
|
||
|
||
The mapping for the PCIM classes pcimGroup and pcimRule is designed
|
||
to be as flexible as possible. Three classes are defined for these
|
||
two PCIM classes. First, an abstract superclass is defined that
|
||
contains all required properties of each PCIM class. Then, both an
|
||
auxiliary class as well as a structural class are derived from the
|
||
abstract superclass. This provides maximum flexibility for the
|
||
developer.
|
||
|
||
The schema also contains two less general classes:
|
||
pcimConditionVendorAuxClass and pcimActionVendorAuxClass. To achieve
|
||
the mapping of the information model's relationships, the schema also
|
||
contains two auxiliary classes: pcimGroupContainmentAuxClass and
|
||
pcimRuleContainmentAuxClass. Capturing the distinction between
|
||
rule-specific and reusable policy conditions and policy actions
|
||
introduces seven other classes: pcimRuleConditionAssociation,
|
||
pcimRuleValidityAssociation, pcimRuleActionAssociation,
|
||
pcimPolicyInstance, and three policy repository classes
|
||
(pcimRepository, pcimRepositoryAuxClass, and pcimRepositoryInstance).
|
||
Finally, the schema includes two classes (pcimSubtreesPtrAuxClass and
|
||
pcimElementAuxClass) for optimizing LDAP retrievals. In all, the
|
||
schema contains 23 classes.
|
||
|
||
Within the context of this document, the term "PCLS" (Policy Core
|
||
LDAP Schema) is used to refer to the LDAP class definitions that this
|
||
document contains. The term "PCIM" refers to classes defined in [1].
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in RFC 2119 [10].
|
||
|
||
2. The Policy Core Information Model
|
||
|
||
This document contains an LDAP schema representing the classes
|
||
defined in the companion document "Policy Core Information
|
||
Model -- Version 1 Specification" [1]. Other documents may
|
||
subsequently be produced, with mappings of this same PCIM to other
|
||
storage technologies. Since the detailed semantics of the PCIM
|
||
classes appear only in [1], that document is a prerequisite for
|
||
reading and understanding this document.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 4]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
3. Inheritance Hierarchy for the PCLS
|
||
|
||
The following diagram illustrates the class hierarchy for the LDAP
|
||
Classes defined in this document:
|
||
|
||
top
|
||
|
|
||
+--dlm1ManagedElement (abstract)
|
||
| |
|
||
| +--pcimPolicy (abstract)
|
||
| | |
|
||
| | +--pcimGroup (abstract)
|
||
| | | |
|
||
| | | +--pcimGroupAuxClass (auxiliary)
|
||
| | | |
|
||
| | | +--pcimGroupInstance (structural)
|
||
| | |
|
||
| | +--pcimRule (abstract)
|
||
| | | |
|
||
| | | +--pcimRuleAuxClass (auxiliary)
|
||
| | | |
|
||
| | | +--pcimRuleInstance (structural)
|
||
| | |
|
||
| | +--pcimRuleConditionAssociation (structural)
|
||
| | |
|
||
| | +--pcimRuleValidityAssociation (structural)
|
||
| | |
|
||
| | +--pcimRuleActionAssociation (structural)
|
||
| | |
|
||
| | +--pcimPolicyInstance (structural)
|
||
| | |
|
||
| | +--pcimElementAuxClass (auxiliary)
|
||
| |
|
||
| +--dlm1ManagedSystemElement (abstract)
|
||
| |
|
||
| +--dlm1LogicalElement (abstract)
|
||
| |
|
||
| +--dlm1System (abstract)
|
||
| |
|
||
| +--dlm1AdminDomain (abstract)
|
||
| |
|
||
| +--pcimRepository (abstract)
|
||
| |
|
||
| +--pcimRepositoryAuxClass (auxiliary)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 5]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
top
|
||
| |
|
||
| +--pcimRepositoryInstance
|
||
| (structural)
|
||
|
|
||
+--pcimConditionAuxClass (auxiliary)
|
||
| |
|
||
| +---pcimTPCAuxClass (auxiliary)
|
||
| |
|
||
| +---pcimConditionVendorAuxClass (auxiliary)
|
||
|
|
||
+--pcimActionAuxClass (auxiliary)
|
||
| |
|
||
| +---pcimActionVendorAuxClass (auxiliary)
|
||
|
|
||
+--pcimSubtreesPtrAuxClass (auxiliary)
|
||
|
|
||
+--pcimGroupContainmentAuxClass (auxiliary)
|
||
|
|
||
+--pcimRuleContainmentAuxClass (auxiliary)
|
||
|
||
Figure 1. LDAP Class Inheritance Hierarchy for the PCLS
|
||
|
||
4. General Discussion of Mapping the Information Model to LDAP
|
||
|
||
The classes described in Section 5 below contain certain
|
||
optimizations for a directory that uses LDAP as its access protocol.
|
||
One example of this is the use of auxiliary classes to represent some
|
||
of the associations defined in the information model. Other data
|
||
stores might need to implement these associations differently. A
|
||
second example is the introduction of classes specifically designed
|
||
to optimize retrieval of large amounts of policy-related data from a
|
||
directory. This section discusses some general topics related to the
|
||
mapping from the information model to LDAP.
|
||
|
||
The remainder of this section will discuss the following topics.
|
||
Section 4.1 will discuss the strategy used in mapping the classes and
|
||
associations defined in [1] to a form that can be represented in a
|
||
directory that uses LDAP as its access protocol. Section 4.2
|
||
discusses DIT content and structure rules, as well as name forms.
|
||
Section 4.3 describes the strategy used in defining naming attributes
|
||
for the schema described in Section 5 of this document. Section 4.4
|
||
defines the strategy recommended for locating and retrieving
|
||
PCIM-derived objects in the directory.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 6]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
4.1. Summary of Class and Association Mappings
|
||
|
||
Fifteen of the classes in the PCLS come directly from the nine
|
||
corresponding classes in the information model. Note that names of
|
||
classes begin with an upper case character in the information model
|
||
(although for CIM in particular, case is not significant in class and
|
||
property names), but with a lower case character in LDAP. This is
|
||
because although LDAP doesn't care, X.500 doesn't allow class names
|
||
to begin with an uppercase character. Note also that the prefix
|
||
"pcim" is used to identify these LDAP classes.
|
||
|
||
+---------------------------+-------------------------------+
|
||
| Information Model | LDAP Class(es) |
|
||
+---------------------------+-------------------------------+
|
||
+---------------------------+-------------------------------+
|
||
| Policy | pcimPolicy |
|
||
+---------------------------+-------------------------------+
|
||
| PolicyGroup | pcimGroup |
|
||
| | pcimGroupAuxClass |
|
||
| | pcimGroupInstance |
|
||
+---------------------------+-------------------------------+
|
||
| PolicyRule | pcimRule |
|
||
| | pcimRuleAuxClass |
|
||
| | pcimRuleInstance |
|
||
+---------------------------+-------------------------------+
|
||
| PolicyCondition | pcimConditionAuxClass |
|
||
+---------------------------+-------------------------------+
|
||
| PolicyAction | pcimActionAuxClass |
|
||
+---------------------------+-------------------------------+
|
||
| VendorPolicyCondition | pcimConditionVendorAuxClass |
|
||
+---------------------------+-------------------------------+
|
||
| VendorPolicyAction | pcimActionVendorAuxClass |
|
||
+---------------------------+-------------------------------+
|
||
| PolicyTimePeriodCondition | pcimTPCAuxClass |
|
||
+---------------------------+-------------------------------+
|
||
| PolicyRepository | pcimRepository |
|
||
| | pcimRepositoryAuxClass |
|
||
| | pcimRepositoryInstance |
|
||
+---------------------------+-------------------------------+
|
||
|
||
Figure 2. Mapping of Information Model Classes to LDAP
|
||
|
||
The associations in the information model map to attributes that
|
||
reference DNs (Distinguished Names) or to Directory Information Tree
|
||
(DIT) containment (i.e., superior-subordinate relationships) in LDAP.
|
||
Two of the attributes that reference DNs appear in auxiliary classes,
|
||
which allow each of them to represent several relationships from the
|
||
information model.
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 7]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
+----------------------------------+----------------------------------+
|
||
| Information Model Association | LDAP Attribute / Class |
|
||
+-----------------------------------+---------------------------------+
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyGroupInPolicyGroup | pcimGroupsAuxContainedSet in |
|
||
| | pcimGroupContainmentAuxClass |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyRuleInPolicyGroup | pcimRulesAuxContainedSet in |
|
||
| | pcimRuleContainmentAuxClass |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyConditionInPolicyRule | DIT containment or |
|
||
| | pcimRuleConditionList in |
|
||
| | pcimRule or |
|
||
| | pcimConditionDN in |
|
||
| | pcimRuleConditionAssociation |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyActionInPolicyRule | DIT containment or |
|
||
| | pcimRuleActionList in |
|
||
| | pcimRule or |
|
||
| | pcimActionDN in |
|
||
| | pcimRuleActionAssociation |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyRuleValidityPeriod | pcimRuleValidityPeriodList |
|
||
| | in pcimRule or (if reusable) |
|
||
| | referenced through the |
|
||
| | pcimTimePeriodConditionDN in |
|
||
| | pcimRuleValidityAssociation |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyConditionInPolicyRepository | DIT containment |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyActionInPolicyRepository | DIT containment |
|
||
+-----------------------------------+---------------------------------+
|
||
| PolicyRepositoryInPolicyRepository| DIT containment |
|
||
+-----------------------------------+---------------------------------+
|
||
|
||
Figure 3. Mapping of Information Model Associations to LDAP
|
||
|
||
Of the remaining classes in the PCLS, two (pcimElementAuxClass and
|
||
pcimSubtreesPtrAuxClass) are included to make navigation through the
|
||
DIT and retrieval of the entries found there more efficient. This
|
||
topic is discussed below in Section 4.5.
|
||
|
||
The remaining four classes in the PCLS, pcimRuleConditionAssociation,
|
||
pcimRuleValidityAssociation, pcimRuleActionAssociation, and
|
||
pcimPolicyInstance, are all involved with the representation of
|
||
policy conditions and policy actions in an LDAP directory. This
|
||
topic is discussed below in Section 4.4.
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 8]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
4.2. Usage of DIT Content and Structure Rules and Name Forms
|
||
|
||
There are three powerful tools that can be used to help define
|
||
schemata. The first, DIT content rules, is a way of defining the
|
||
content of an entry for a structural object class. It can be used to
|
||
specify the following characteristics of the entry:
|
||
|
||
- additional mandatory attributes that the entries are required
|
||
to contain
|
||
- additional optional attributes the entries are allowed to
|
||
contain
|
||
- the set of additional auxiliary object classes that these
|
||
entries are allowed to be members of
|
||
- any optional attributes from the structural and auxiliary
|
||
object class definitions that the entries are required to
|
||
preclude
|
||
|
||
DIT content rules are NOT mandatory for any structural object class.
|
||
|
||
A DIT structure rule, together with a name form, controls the
|
||
placement and naming of an entry within the scope of a subschema.
|
||
Name forms define which attribute type(s) are required and are
|
||
allowed to be used in forming the Relative Distinguished Names (RDNs)
|
||
of entries. DIT structure rules specify which entries are allowed to
|
||
be superior to other entries, and hence control the way that RDNs are
|
||
added together to make DNs.
|
||
|
||
A name form specifies the following:
|
||
|
||
- the structural object class of the entries named by this name
|
||
form
|
||
- attributes that are required to be used in forming the RDNs of
|
||
these entries
|
||
- attributes that are allowed to be used in forming the RDNs of
|
||
these entries
|
||
- an object identifier to uniquely identify this name form
|
||
|
||
Note that name forms can only be specified for structural object
|
||
classes. However, every entry in the DIT must have a name form
|
||
controlling it.
|
||
|
||
Unfortunately, current LDAP servers vary quite a lot in their support
|
||
of these features. There are also three crucial implementation
|
||
points that must be followed. First, X.500 use of structure rules
|
||
requires that a structural object class with no superior structure
|
||
rule be a subschema administrative point. This is exactly NOT what
|
||
we want for policy information. Second, when an auxiliary class is
|
||
subclassed, if a content rule exists for the structural class that
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 9]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
the auxiliary class refers to, then that content rule needs to be
|
||
augmented. Finally, most LDAP servers unfortunately do not support
|
||
inheritance of structure and content rules.
|
||
|
||
Given these concerns, DIT structure and content rules have been
|
||
removed from the PCLS. This is because, if included, they would be
|
||
normative references and would require OIDs. However, we don't want
|
||
to lose the insight gained in building the structure and content
|
||
rules of the previous version of the schema. Therefore, we describe
|
||
where such rules could be used in this schema, what they would
|
||
control, and what their effect would be.
|
||
|
||
4.3. Naming Attributes in the PCLS
|
||
|
||
Instances in a directory are identified by distinguished names (DNs),
|
||
which provide the same type of hierarchical organization that a file
|
||
system provides in a computer system. A distinguished name is a
|
||
sequence of RDNs. An RDN provides a unique identifier for an
|
||
instance within the context of its immediate superior, in the same
|
||
way that a filename provides a unique identifier for a file within
|
||
the context of the folder in which it resides.
|
||
|
||
To preserve maximum naming flexibility for policy administrators,
|
||
three optional (i.e., "MAY") naming attributes have been defined.
|
||
They are:
|
||
|
||
- Each of the structural classes defined in this schema has its
|
||
own unique ("MAY") naming attribute. Since the naming
|
||
attributes are different, a policy administrator can, by using
|
||
these attributes, guarantee that there will be no name
|
||
collisions between instances of different classes, even if the
|
||
same value is assigned to the instances' respective naming
|
||
attributes.
|
||
|
||
- The LDAP attribute cn (corresponding to X.500's commonName) is
|
||
included as a MAY attribute in the abstract class pcimPolicy,
|
||
and thus by inheritance in all of its subclasses. In X.500,
|
||
commonName typically functions as an RDN attribute, for naming
|
||
instances of many classes (e.g., X.500's person class).
|
||
|
||
- A special attribute is provided for implementations that expect
|
||
to map between native CIM and LDAP representations of policy
|
||
information. This attribute, called orderedCimKeys, is defined
|
||
in the class dlm1ManagedElement [6]. The value of this
|
||
attribute is derived algorithmically from values that are
|
||
already present in a CIM policy instance. The normative
|
||
reference for this algorithm is contained in [6]. See the
|
||
appendix of this document for a description of the algorithm.
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 10]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
Since any of these naming attributes MAY be used for naming an
|
||
instance of a PCLS class, implementations MUST be able to accommodate
|
||
instances named in any of these ways.
|
||
|
||
Note that it is recommended that two or more of these attributes
|
||
SHOULD NOT be used together to form a multi-part RDN, since support
|
||
for multi-part RDNs is limited among existing directory
|
||
implementations.
|
||
|
||
4.4. Rule-Specific and Reusable Conditions and Actions
|
||
|
||
The PCIM [1] distinguishes between two types of policy conditions and
|
||
policy actions: those associated with a single policy rule, and
|
||
those that are reusable, in the sense that they may be associated
|
||
with more than one policy rule. While there is no inherent
|
||
functional difference between a rule-specific condition or action and
|
||
a reusable one, there is both a usage, as well as, an implementation
|
||
difference between them.
|
||
|
||
Defining a condition or action as reusable vs. rule-specific reflects
|
||
a conscious decision on the part of the administrator in defining how
|
||
they are used. In addition, there are variations that reflect
|
||
implementing rule-specific vs. reusable policy conditions and actions
|
||
and how they are treated in a policy repository. The major
|
||
implementation differences between a rule-specific and a reusable
|
||
condition or action are delineated below:
|
||
|
||
1. It is natural for a rule-specific condition or action to be
|
||
removed from the policy repository at the same time the rule is.
|
||
It is just the opposite for reusable conditions and actions.
|
||
This is because the condition or action is conceptually attached
|
||
to the rule in the rule-specific case, whereas it is referenced
|
||
(e.g., pointed at) in the reusable case. The persistence of a
|
||
pcimRepository instance is independent of the persistence of a
|
||
pcimRule instance.
|
||
2. Access permissions for a rule-specific condition or action are
|
||
usually identical to those for the rule itself. On the other
|
||
hand, access permissions of reusable conditions and actions must
|
||
be expressible without reference to a policy rule.
|
||
3. Rule-specific conditions and actions require fewer accesses,
|
||
because the conditions and actions are "attached" to the rule.
|
||
In contrast, reusable conditions and actions require more
|
||
accesses, because each condition or action that is reusable
|
||
requires a separate access.
|
||
4. Rule-specific conditions and actions are designed for use by a
|
||
single rule. As the number of rules that use the same
|
||
rule-specific condition increase, subtle problems are created
|
||
(the most obvious being how to keep the rule-specific conditions
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 11]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
and actions updated to reflect the same value). Reusable
|
||
conditions and actions lend themselves for use by multiple
|
||
independent rules.
|
||
5. Reusable conditions and actions offer an optimization when
|
||
multiple rules are using the same condition or action. This is
|
||
because the reusable condition or action only needs be updated
|
||
once, and by virtue of DN reference, the policy rules will be
|
||
automatically updated.
|
||
|
||
The preceding paragraph does not contain an exhaustive list of the
|
||
ways in which reusable and rule-specific conditions should be treated
|
||
differently. Its purpose is merely to justify making a semantic
|
||
distinction between rule-specific and reusable, and then reflecting
|
||
this distinction in the policy repository itself.
|
||
|
||
When the policy repository is realized in an LDAP-accessible
|
||
directory, the distinction between rule-specific and reusable
|
||
conditions and actions is realized via placement of auxiliary classes
|
||
and via DIT containment. Figure 4 illustrates a policy rule Rule1
|
||
with one rule-specific condition CA and one rule-specific action AB.
|
||
|
||
+-----+
|
||
|Rule1|
|
||
| |
|
||
+-----|- -|-----+
|
||
| +-----+ |
|
||
| * * |
|
||
| * * |
|
||
| **** **** |
|
||
| * * |
|
||
v * * v
|
||
+--------+ +--------+
|
||
| CA+ca | | AB+ab |
|
||
+--------+ +--------+
|
||
|
||
|
||
+------------------------------+
|
||
|LEGEND: |
|
||
| ***** DIT containment |
|
||
| + auxiliary attachment |
|
||
| ----> DN reference |
|
||
+------------------------------+
|
||
|
||
Figure 4 Rule-Specific Policy Conditions and Actions
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 12]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
Because the condition and action are specific to Rule1, the auxiliary
|
||
classes ca and ab that represent them are attached, respectively, to
|
||
the structural classes CA and AB. These structural classes represent
|
||
not the condition ca and action ab themselves, but rather the
|
||
associations between Rule1 and ca, and between Rule1 and ab.
|
||
|
||
As Figure 4 illustrates, Rule1 contains DN references to the
|
||
structural classes CA and AB that appear below it in the DIT. At
|
||
first glance it might appear that these DN references are
|
||
unnecessary, since a subtree search below Rule1 would find all of the
|
||
structural classes representing the associations between Rule1 and
|
||
its conditions and actions. Relying only on a subtree search,
|
||
though, runs the risk of missing conditions or actions that should
|
||
have appeared in the subtree, but for some reason did not, or of
|
||
finding conditions or actions that were inadvertently placed in the
|
||
subtree, or that should have been removed from the subtree, but for
|
||
some reason were not. Implementation experience has suggested that
|
||
many (but not all) of these risks are eliminated.
|
||
|
||
However, it must be noted that this comes at a price. The use of DN
|
||
references, as shown in Figure 4 above, thwarts inheritance of access
|
||
control information as well as existence dependency information. It
|
||
also is subject to referential integrity considerations. Therefore,
|
||
it is being included as an option for the designer.
|
||
|
||
Figure 5 illustrates a second way of representing rule-specific
|
||
conditions and actions in an LDAP-accessible directory: attachment of
|
||
the auxiliary classes directly to the instance representing the
|
||
policy rule. When all of the conditions and actions are attached to
|
||
a policy rule in this way, the rule is termed a "simple" policy rule.
|
||
When conditions and actions are not attached directly to a policy
|
||
rule, the rule is termed a "complex" policy rule.
|
||
|
||
+-----------+
|
||
|Rule1+ca+ab|
|
||
| |
|
||
+-----------+
|
||
|
||
+------------------------------+
|
||
|LEGEND: |
|
||
| + auxiliary attachment |
|
||
+------------------------------+
|
||
|
||
Figure 5. A Simple Policy Rule
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 13]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The simple/complex distinction for a policy rule is not all or
|
||
nothing. A policy rule may have its conditions attached to itself
|
||
and its actions attached to other entries, or it may have its actions
|
||
attached to itself and its conditions attached to other entries.
|
||
However, it SHALL NOT have either its conditions or its actions
|
||
attached both to itself and to other entries, with one exception: a
|
||
policy rule may reference its validity periods with the
|
||
pcimRuleValidityPeriodList attribute, but have its other conditions
|
||
attached to itself.
|
||
|
||
The tradeoffs between simple and complex policy rules are between the
|
||
efficiency of simple rules and the flexibility and greater potential
|
||
for reuse of complex rules. With a simple policy rule, the semantic
|
||
options are limited:
|
||
|
||
- All conditions are ANDed together. This combination can be
|
||
represented in two ways in the Disjunctive Normal Form (DNF)/
|
||
Conjunctive Normal Form (CNF) (please see [1] for definitions of
|
||
these terms) expressions characteristic of policy conditions: as
|
||
a DNF expression with a single AND group, or as a CNF expression
|
||
with multiple single-condition OR groups. The first of these is
|
||
arbitrarily chosen as the representation for the ANDed conditions
|
||
in a simple policy rule.
|
||
|
||
- If multiple actions are included, no order can be specified for
|
||
them.
|
||
|
||
If a policy administrator needs to combine conditions in some other
|
||
way, or if there is a set of actions that must be ordered, then the
|
||
only option is to use a complex policy rule.
|
||
|
||
Finally, Figure 6 illustrates the same policy rule Rule1, but this
|
||
time its condition and action are reusable. The association classes
|
||
CA and AB are still present, and they are still DIT contained under
|
||
Rule1. But rather than having the auxiliary classes ca and ab
|
||
attached directly to the association classes CA and AB, each now
|
||
contains DN references to other entries to which these auxiliary
|
||
classes are attached. These other entries, CIA and AIB, are DIT
|
||
contained under RepositoryX, which is an instance of the class
|
||
pcimRepository. Because they are named under an instance of
|
||
pcimRepository, ca and ab are clearly identified as reusable.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 14]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
+-----+ +-------------+
|
||
|Rule1| | RepositoryX |
|
||
+-|- -|--+ | |
|
||
| +-----+ | +-------------+
|
||
| * * | * *
|
||
| * * | * *
|
||
| *** **** | * *
|
||
| * * v * *
|
||
| * +---+ * *
|
||
| * |AB | +------+ *
|
||
v * | -|-------->|AIB+ab| *
|
||
+---+ +---+ +------+ *
|
||
|CA | +------+
|
||
| -|------------------------>|CIA+ca|
|
||
+---+ +------+
|
||
|
||
+------------------------------+
|
||
|LEGEND: |
|
||
| ***** DIT containment |
|
||
| + auxiliary attachment |
|
||
| ----> DN reference |
|
||
+------------------------------+
|
||
|
||
Figure 6. Reusable Policy Conditions and Actions
|
||
|
||
The classes pcimConditionAuxClass and pcimActionAuxClass do not
|
||
themselves represent actual conditions and actions: these are
|
||
introduced in their subclasses. What pcimConditionAuxClass and
|
||
pcimActionAuxClass do introduce are the semantics of being a policy
|
||
condition or a policy action. These are the semantics that all the
|
||
subclasses of pcimConditionAuxClass and pcimActionAuxClass inherit.
|
||
Among these semantics are those of representing either a
|
||
rule-specific or a reusable policy condition or policy action.
|
||
|
||
In order to preserve the ability to represent a rule-specific or a
|
||
reusable condition or action, as well as a simple policy rule, all
|
||
the subclasses of pcimConditionAuxClass and pcimActionAuxClass MUST
|
||
also be auxiliary classes.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 15]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
4.5. Location and Retrieval of Policy Objects in the Directory
|
||
|
||
When a Policy Decision Point (PDP) goes to an LDAP directory to
|
||
retrieve the policy object instances relevant to the Policy
|
||
Enforcement Points (PEPs) it serves, it is faced with two related
|
||
problems:
|
||
|
||
- How does it locate and retrieve the directory entries that apply
|
||
to its PEPs? These entries may include instances of the PCLS
|
||
classes, instances of domain-specific subclasses of these
|
||
classes, and instances of other classes modeling such resources
|
||
as user groups, interfaces, and address ranges.
|
||
|
||
- How does it retrieve the directory entries it needs in an
|
||
efficient manner, so that retrieval of policy information from
|
||
the directory does not become a roadblock to scalability? There
|
||
are two facets to this efficiency: retrieving only the relevant
|
||
directory entries, and retrieving these entries using as few LDAP
|
||
calls as possible.
|
||
|
||
The placement of objects in the Directory Information Tree (DIT)
|
||
involves considerations other than how the policy-related objects
|
||
will be retrieved by a PDP. Consequently, all that the PCLS can do
|
||
is to provide a "toolkit" of classes to assist the policy
|
||
administrator as the DIT is being designed and built. A PDP SHOULD
|
||
be able to take advantage of any tools that the policy administrator
|
||
is able to build into the DIT, but it MUST be able to use a less
|
||
efficient means of retrieval if that is all it has available to it.
|
||
|
||
The basic idea behind the LDAP optimization classes is a simple one:
|
||
make it possible for a PDP to retrieve all the policy-related objects
|
||
it needs, and only those objects, using as few LDAP calls as
|
||
possible. An important assumption underlying this approach is that
|
||
the policy administrator has sufficient control over the underlying
|
||
DIT structure to define subtrees for storing policy information. If
|
||
the policy administrator does not have this level of control over DIT
|
||
structure, a PDP can still retrieve the policy-related objects it
|
||
needs individually. But it will require more LDAP access operations
|
||
to do the retrieval in this way. Figure 7 illustrates how LDAP
|
||
optimization is accomplished.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 16]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
+-----+
|
||
---------------->| A |
|
||
DN reference to | | DN references to subtrees +---+
|
||
starting object +-----+ +-------------------------->| C |
|
||
| o--+----+ +---+ +---+
|
||
| o--+------------->| B | / \
|
||
+-----+ +---+ / \
|
||
/ \ / \ / ... \
|
||
/ \ / \
|
||
/ \ / ... \
|
||
|
||
Figure 7. Using the pcimSubtreesPtrAuxClass to Locate Policies
|
||
|
||
The PDP is configured initially with a DN reference to some entry in
|
||
the DIT. The structural class of this entry is not important; the
|
||
PDP is interested only in the pcimSubtreesPtrAuxClass attached to it.
|
||
This auxiliary class contains a multi-valued attribute with DN
|
||
references to objects that anchor subtrees containing policy-related
|
||
objects of interest to the PDP. Since pcimSubtreesPtrAuxClass is an
|
||
auxiliary class, it can be attached to an entry that the PDP would
|
||
need to access anyway - perhaps an entry containing initial
|
||
configuration settings for the PDP, or for a PEP that uses the PDP.
|
||
|
||
Once it has retrieved the DN references, the PDP will direct to each
|
||
of the objects identified by them an LDAP request that all entries in
|
||
its subtree be evaluated against the selection criteria specified in
|
||
the request. The LDAP-enabled directory then returns all entries in
|
||
that subtree that satisfy the specified criteria.
|
||
|
||
The selection criteria always specify that object class="pcimPolicy".
|
||
Since all classes representing policy rules, policy conditions, and
|
||
policy actions, both in the PCLS and in any domain-specific schema
|
||
derived from it, are subclasses of the abstract class policy, this
|
||
criterion evaluates to TRUE for all instances of these classes. To
|
||
accommodate special cases where a PDP needs to retrieve objects that
|
||
are not inherently policy-related (for example, an IP address range
|
||
object referenced by a subclass of pcimActionAuxClass representing
|
||
the DHCP action "assign from this address range"), the auxiliary
|
||
class pcimElementAuxClass can be used to "tag" an entry, so that it
|
||
will be found by the selection criterion "object class=pcimPolicy".
|
||
|
||
The approach described in the preceding paragraph will not work for
|
||
certain directory implementations, because these implementations do
|
||
not support matching of auxiliary classes in the objectClass
|
||
attribute. For environments where these implementations are expected
|
||
to be present, the "tagging" of entries as relevant to policy can be
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 17]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
accomplished by inserting the special value "POLICY" into the list of
|
||
values contained in the pcimKeywords attribute (provided by the
|
||
pcimPolicy class).
|
||
|
||
If a PDP needs only a subset of the policy-related objects in the
|
||
indicated subtrees, then it can be configured with additional
|
||
selection criteria based on the pcimKeywords attribute defined in the
|
||
pcimPolicy class. This attribute supports both standardized and
|
||
administrator- defined values. For example, a PDP could be
|
||
configured to request only those policy-related objects containing
|
||
the keywords "DHCP" and "Eastern US".
|
||
|
||
To optimize what is expected to be a typical case, the initial
|
||
request from the client includes not only the object to which its
|
||
"seed" DN references, but also the subtree contained under this
|
||
object. The filter for searching this subtree is whatever the client
|
||
is going to use later to search the other subtrees: object
|
||
class="pcimPolicy" or the presence of the keyword "POLICY", and/or
|
||
presence of a more specific value of pcimKeywords (e.g., "QoS Edge
|
||
Policy").
|
||
|
||
Returning to the example in Figure 7, we see that in the best case, a
|
||
PDP can get all the policy-related objects it needs, and only those
|
||
objects, with exactly three LDAP requests: one to its starting
|
||
object A to get the references to B and C, as well as the
|
||
policy-related objects it needs from the subtree under A, and then
|
||
one each to B and C to get all the policy-related objects that pass
|
||
the selection criteria with which it was configured. Once it has
|
||
retrieved all of these objects, the PDP can then traverse their
|
||
various DN references locally to understand the semantic
|
||
relationships among them. The PDP should also be prepared to find a
|
||
reference to another subtree attached to any of the objects it
|
||
retrieves, and to follow this reference first, before it follows any
|
||
of the semantically significant references it has received. This
|
||
recursion permits a structured approach to identifying related
|
||
policies. In Figure 7, for example, if the subtree under B includes
|
||
departmental policies and the one under C includes divisional
|
||
policies, then there might be a reference from the subtree under C to
|
||
an object D that roots the subtree of corporate-level policies.
|
||
|
||
A PDP SHOULD understand the pcimSubtreesPtrAuxClass class, SHOULD be
|
||
capable of retrieving and processing the entries in the subtrees it
|
||
references, and SHOULD be capable of doing all of this recursively.
|
||
The same requirements apply to any other entity needing to retrieve
|
||
policy information from the directory. Thus, a Policy Management
|
||
Tool that retrieves policy entries from the directory in order to
|
||
perform validation and conflict detection SHOULD also understand and
|
||
be capable of using the pcimSubtreesPtrAuxClass. All of these
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 18]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
requirements are "SHOULD"s rather than "MUST"s because an LDAP client
|
||
that doesn't implement them can still access and retrieve the
|
||
directory entries it needs. The process of doing so will just be
|
||
less efficient than it would have been if the client had implemented
|
||
these optimizations.
|
||
|
||
When it is serving as a tool for creating policy entries in the
|
||
directory, a Policy Management Tool SHOULD support creation of
|
||
pcimSubtreesPtrAuxClass entries and their references to object
|
||
instances.
|
||
|
||
4.5.1. Aliases and Other DIT-Optimization Techniques
|
||
|
||
Additional flexibility in DIT structure is available to the policy
|
||
administrator via LDAP aliasing and other techniques. Previous
|
||
versions of this document have used aliases. However, because
|
||
aliases are experimental, the use of aliases has been removed from
|
||
this version of this document. This is because the IETF has yet to
|
||
produce a specification on how aliases are represented in the
|
||
directory or how server implementations are to process aliases.
|
||
|
||
5. Class Definitions
|
||
|
||
The semantics for the policy information classes that are to be
|
||
mapped directly from the information model to an LDAP representation
|
||
are detailed in [1]. Consequently, all that this document presents
|
||
for these classes is the specification for how to do the mapping from
|
||
the information model (which is independent of repository type and
|
||
access protocol) to a form that can be accessed using LDAP. Remember
|
||
that some new classes needed to be created (that were not part of
|
||
[1]) to implement the LDAP mapping. These new LDAP-only classes are
|
||
fully documented in this document.
|
||
|
||
The formal language for specifying the classes, attributes, and DIT
|
||
structure and content rules is that defined in reference [3]. If
|
||
your implementation does not support auxiliary class inheritance, you
|
||
will have to list auxiliary classes in content rules explicitly or
|
||
define them in another (implementation-specific) way.
|
||
|
||
The following notes apply to this section in its entirety.
|
||
|
||
Note 1: in the following definitions, the class and attribute
|
||
definitions follow RFC 2252 [3] but they are line-wrapped to enhance
|
||
human readability.
|
||
|
||
Note 2: where applicable, the possibilities for specifying DIT
|
||
structure and content rules are noted. However, care must be taken
|
||
in specifying DIT structure rules. This is because X.501 [4] states
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 19]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
that an entry may only exist in the DIT as a subordinate to another
|
||
superior entry (the superior) if a DIT structure rule exists in the
|
||
governing subschema which:
|
||
|
||
1) indicates a name form for the structural object class of the
|
||
subordinate entry, and
|
||
2) either includes the entry's superior structure rule as a possible
|
||
superior structure rule, or
|
||
3) does not specify a superior structure rule.
|
||
|
||
If this last case (3) applies, then the entry is defined to be a
|
||
subschema administrative point. This is not what is desired.
|
||
Therefore, care must be taken in defining structure rules, and in
|
||
particular, they must be locally augmented.
|
||
|
||
Note 3: Wherever possible, both an equality and a substring matching
|
||
rule are defined for a particular attribute (as well as an ordering
|
||
match rule to enable sorting of matching results). This provides two
|
||
different choices for the developer for maximum flexibility.
|
||
|
||
For example, consider the pcimRoles attribute (section 5.3). Suppose
|
||
that a PEP has reported that it is interested in pcimRules for three
|
||
roles R1, R2, and R3. If the goal is to minimize queries, then the
|
||
PDP can supply three substring filters containing the three role
|
||
names.
|
||
|
||
These queries will return all of the pcimRules that apply to the PEP,
|
||
but they may also get some that do not apply (e.g., ones that contain
|
||
one of the roles R1, R2, or R3 and one or more other roles present in
|
||
a role-combination [1]).
|
||
|
||
Another strategy would be for the PDP to use only equality filters.
|
||
This approach eliminates the extraneous replies, but it requires the
|
||
PDP to explicitly build the desired role-combinations itself. It
|
||
also requires extra queries. Note that this approach is practical
|
||
only because the role names in a role combination are required to
|
||
appear in alphabetical order.
|
||
|
||
Note 4: in the following definitions, note that all LDAP matching
|
||
rules are defined in [3] and in [9]. The corresponding X.500
|
||
matching rules are defined in [8].
|
||
|
||
Note 5: some of the following attribute definitions specify
|
||
additional constraints on various data types (e.g., this integer has
|
||
values that are valid from 1..10). Text has been added to instruct
|
||
servers and applications what to do if a value outside of this range
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 20]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
is encountered. In all cases, if a constraint is violated, then the
|
||
policy rule SHOULD be treated as being disabled, meaning that
|
||
execution of the policy rule SHOULD be stopped.
|
||
|
||
5.1. The Abstract Class pcimPolicy
|
||
|
||
The abstract class pcimPolicy is a direct mapping of the abstract
|
||
class Policy from the PCIM. The class value "pcimPolicy" is also
|
||
used as the mechanism for identifying policy-related instances in the
|
||
Directory Information Tree. An instance of any class may be "tagged"
|
||
with this class value by attaching to it the auxiliary class
|
||
pcimElementAuxClass. Since pcimPolicy is derived from the class
|
||
dlm1ManagedElement defined in reference [6], this specification has a
|
||
normative dependency on that element of reference [6].
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.1 NAME 'pcimPolicy'
|
||
DESC 'An abstract class that is the base class for all classes
|
||
that describe policy-related instances.'
|
||
SUP dlm1ManagedElement
|
||
ABSTRACT
|
||
MAY ( cn $ dlmCaption $ dlmDescription $ orderedCimKeys $
|
||
pcimKeywords )
|
||
)
|
||
|
||
The attribute cn is defined in RFC 2256 [7]. The dlmCaption,
|
||
dlmDescription, and orderedCimKeys attributes are defined in [6].
|
||
|
||
The pcimKeywords attribute is a multi-valued attribute that contains
|
||
a set of keywords to assist directory clients in locating the policy
|
||
objects identified by these keywords. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.3 NAME 'pcimKeywords'
|
||
DESC 'A set of keywords to assist directory clients in
|
||
locating the policy objects applicable to them.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 21]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
5.2. The Three Policy Group Classes
|
||
|
||
PCIM [1] defines the PolicyGroup class to serve as a generalized
|
||
aggregation mechanism, enabling PolicyRules and/or PolicyGroups to be
|
||
aggregated together. PCLS maps this class into three LDAP classes,
|
||
called pcimGroup, pcimGroupAuxClass, and pcimGroupInstance. This is
|
||
done in order to provide maximum flexibility for the DIT designer.
|
||
|
||
The class definitions for the three policy group classes are listed
|
||
below. These class definitions do not include attributes to realize
|
||
the PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup associations
|
||
from the PCIM. This is because a pcimGroup object refers to
|
||
instances of pcimGroup and pcimRule via, respectively, the attribute
|
||
pcimGroupsAuxContainedSet in the pcimGroupContainmentAuxClass object
|
||
class and the attribute pcimRulesAuxContainedSet in the
|
||
pcimRuleContainmentAuxClass object class.
|
||
|
||
To maximize flexibility, the pcimGroup class is defined as abstract.
|
||
The subclass pcimGroupAuxClass provides for auxiliary attachment to
|
||
another entry, while the structural subclass pcimGroupInstance is
|
||
available to represent a policy group as a standalone entry.
|
||
|
||
The class definitions are as follows. First, the definition of the
|
||
abstract class pcimGroup:
|
||
|
||
( 1.3.6.1.1.6.1.2 NAME 'pcimGroup'
|
||
DESC 'A container for a set of related pcimRules and/or
|
||
a set of related pcimGroups.'
|
||
SUP pcimPolicy
|
||
ABSTRACT
|
||
MAY ( pcimGroupName )
|
||
)
|
||
|
||
The one attribute of pcimGroup is pcimGroupName. This attribute is
|
||
used to define a user-friendly name of this policy group, and may be
|
||
used as a naming attribute if desired. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.4 NAME 'pcimGroupName'
|
||
DESC 'The user-friendly name of this policy group.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 22]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The two subclasses of pcimGroup are defined as follows. The class
|
||
pcimGroupAuxClass is an auxiliary class that can be used to collect a
|
||
set of related pcimRule and/or pcimGroup classes. It is defined as
|
||
follows:
|
||
|
||
( 1.3.6.1.1.6.1.3 NAME 'pcimGroupAuxClass'
|
||
DESC 'An auxiliary class that collects a set of related
|
||
pcimRule and/or pcimGroup entries.'
|
||
SUP pcimGroup
|
||
AUXILIARY
|
||
)
|
||
|
||
The class pcimGroupInstance is a structural class that can be used to
|
||
collect a set of related pcimRule and/or pcimGroup classes. It is
|
||
defined as follows:
|
||
|
||
( 1.3.6.1.1.6.1.4 NAME 'pcimGroupInstance'
|
||
DESC 'A structural class that collects a set of related
|
||
pcimRule and/or pcimGroup entries.'
|
||
SUP pcimGroup
|
||
STRUCTURAL
|
||
)
|
||
|
||
A DIT content rule could be written to enable an instance of
|
||
pcimGroupInstance to have attached to it either references to one or
|
||
more policy groups (using pcimGroupContainmentAuxClass) or references
|
||
to one or more policy rules (using pcimRuleContainmentAuxClass).
|
||
This would be used to formalize the semantics of the PolicyGroup
|
||
class [1]. Since these semantics do not include specifying any
|
||
properties of the PolicyGroup class, the content rule would not need
|
||
to specify any attributes.
|
||
|
||
Similarly, three separate DIT structure rules could be written, each
|
||
of which would refer to a specific name form that identified one of
|
||
the three possible naming attributes (i.e., pcimGroupName, cn, and
|
||
orderedCIMKeys) for the pcimGroup object class. This structure rule
|
||
SHOULD include a superiorStructureRule (see Note 2 at the beginning
|
||
of section 5). The three name forms referenced by the three
|
||
structure rules would each define one of the three naming attributes.
|
||
|
||
5.3. The Three Policy Rule Classes
|
||
|
||
The information model defines a PolicyRule class to represent the "If
|
||
Condition then Action" semantics associated with processing policy
|
||
information. For maximum flexibility, the PCLS maps this class into
|
||
three LDAP classes.
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 23]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
To maximize flexibility, the pcimRule class is defined as abstract.
|
||
The subclass pcimRuleAuxClass provides for auxiliary attachment to
|
||
another entry, while the structural subclass pcimRuleInstance is
|
||
available to represent a policy rule as a standalone entry.
|
||
|
||
The conditions and actions associated with a policy rule are modeled,
|
||
respectively, with auxiliary subclasses of the auxiliary classes
|
||
pcimConditionAuxClass and pcimActionAuxClass. Each of these
|
||
auxiliary subclasses is attached to an instance of one of three
|
||
structural classes. A subclass of pcimConditionAuxClass is attached
|
||
to an instance of pcimRuleInstance, to an instance of
|
||
pcimRuleConditionAssociation, or to an instance of
|
||
pcimPolicyInstance. Similarly, a subclass of pcimActionAuxClass is
|
||
attached to an instance of pcimRuleInstance, to an instance of
|
||
pcimRuleActionAssociation, or to an instance of pcimPolicyInstance.
|
||
|
||
The pcimRuleValidityPeriodList attribute (defined below) realizes the
|
||
PolicyRuleValidityPeriod association defined in the PCIM. Since this
|
||
association has no additional properties besides those that tie the
|
||
association to its associated objects, this association can be
|
||
realized by simply using an attribute. Thus, the
|
||
pcimRuleValidityPeriodList attribute is simply a multi-valued
|
||
attribute that provides an unordered set of DN references to one or
|
||
more instances of the pcimTPCAuxClass, indicating when the policy
|
||
rule is scheduled to be active and when it is scheduled to be
|
||
inactive. A policy rule is scheduled to be active if it is active
|
||
according to AT LEAST ONE of the pcimTPCAuxClass instances referenced
|
||
by this attribute.
|
||
|
||
The PolicyConditionInPolicyRule and PolicyActionInPolicyRule
|
||
associations, however, do have additional attributes. The
|
||
association PolicyActionInPolicyRule defines an integer attribute to
|
||
sequence the actions, and the association PolicyConditionInPolicyRule
|
||
has both an integer attribute to group the condition terms as well as
|
||
a Boolean property to specify whether a condition is to be negated.
|
||
|
||
In the PCLS, these additional association attributes are represented
|
||
as attributes of two classes introduced specifically to model these
|
||
associations. These classes are the pcimRuleConditionAssociation
|
||
class and the pcimRuleActionAssociation class, which are defined in
|
||
Sections 5.4 and 5.5, respectively. Thus, they do not appear as
|
||
attributes of the class pcimRule. Instead, the pcimRuleConditionList
|
||
and pcimRuleActionList attributes can be used to reference these
|
||
classes.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 24]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The class definitions for the three pcimRule classes are as follows.
|
||
|
||
The abstract class pcimRule is a base class for representing the "If
|
||
Condition then Action" semantics associated with a policy rule. It
|
||
is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.1.5 NAME 'pcimRule'
|
||
DESC 'The base class for representing the "If Condition
|
||
then Action" semantics associated with a policy rule.'
|
||
SUP pcimPolicy
|
||
ABSTRACT
|
||
MAY ( pcimRuleName $ pcimRuleEnabled $
|
||
pcimRuleConditionListType $ pcimRuleConditionList $
|
||
pcimRuleActionList $ pcimRuleValidityPeriodList $
|
||
pcimRuleUsage $ pcimRulePriority $
|
||
pcimRuleMandatory $ pcimRuleSequencedActions $
|
||
pcimRoles )
|
||
)
|
||
|
||
The PCIM [1] defines seven properties for the PolicyRule class. The
|
||
PCLS defines eleven attributes for the pcimRule class, which is the
|
||
LDAP equivalent of the PolicyRule class. Of these eleven attributes,
|
||
seven are mapped directly from corresponding properties in PCIM's
|
||
PolicyRule class. The remaining four attributes are a class-specific
|
||
optional naming attribute, and three attributes used to realize the
|
||
three associations that the pcimRule class participates in.
|
||
|
||
The pcimRuleName attribute is used as a user-friendly name of this
|
||
policy rule, and can also serve as the class-specific optional naming
|
||
attribute. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.5 NAME 'pcimRuleName'
|
||
DESC 'The user-friendly name of this policy rule.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The pcimRuleEnabled attribute is an integer enumeration indicating
|
||
whether a policy rule is administratively enabled (value=1),
|
||
administratively disabled (value=2), or enabled for debug (value=3).
|
||
It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.6 NAME 'pcimRuleEnabled'
|
||
DESC 'An integer indicating whether a policy rule is
|
||
administratively enabled (value=1), disabled
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 25]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
(value=2), or enabled for debug (value=3).'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note: All other values for the pcimRuleEnabled attribute are
|
||
considered errors, and the administrator SHOULD treat this rule as
|
||
being disabled if an invalid value is found.
|
||
|
||
The pcimRuleConditionListType attribute is used to indicate whether
|
||
the list of policy conditions associated with this policy rule is in
|
||
disjunctive normal form (DNF, value=1) or conjunctive normal form
|
||
(CNF, value=2). It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.7 NAME 'pcimRuleConditionListType'
|
||
DESC 'A value of 1 means that this policy rule is in
|
||
disjunctive normal form; a value of 2 means that this
|
||
policy rule is in conjunctive normal form.'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note: any value other than 1 or 2 for the pcimRuleConditionListType
|
||
attribute is considered an error. Administrators SHOULD treat this
|
||
rule as being disabled if an invalid value is found, since it is
|
||
unclear how to structure the condition list.
|
||
|
||
The pcimRuleConditionList attribute is a multi-valued attribute that
|
||
is used to realize the policyRuleInPolicyCondition association
|
||
defined in [1]. It contains a set of DNs of
|
||
pcimRuleConditionAssociation entries representing associations
|
||
between this policy rule and its conditions. No order is implied.
|
||
It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.8 NAME 'pcimRuleConditionList'
|
||
DESC 'Unordered set of DNs of pcimRuleConditionAssociation
|
||
entries representing associations between this policy
|
||
rule and its conditions.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 26]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The pcimRuleActionList attribute is a multi-valued attribute that is
|
||
used to realize the policyRuleInPolicyAction association defined in
|
||
[1]. It contains a set of DNs of pcimRuleActionAssociation entries
|
||
representing associations between this policy rule and its actions.
|
||
No order is implied. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.9 NAME 'pcimRuleActionList'
|
||
DESC 'Unordered set of DNs of pcimRuleActionAssociation
|
||
entries representing associations between this policy
|
||
rule and its actions.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
)
|
||
|
||
The pcimRuleValidityPeriodList attribute is a multi-valued attribute
|
||
that is used to realize the pcimRuleValidityPeriod association that
|
||
is defined in [1]. It contains a set of DNs of
|
||
pcimRuleValidityAssociation entries that determine when the pcimRule
|
||
is scheduled to be active or inactive. No order is implied. It is
|
||
defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.10 NAME 'pcimRuleValidityPeriodList'
|
||
DESC 'Unordered set of DNs of pcimRuleValidityAssociation
|
||
entries that determine when the pcimRule is scheduled
|
||
to be active or inactive.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
)
|
||
|
||
The pcimRuleUsage attribute is a free-form string providing
|
||
guidelines on how this policy should be used. It is defined as
|
||
follows:
|
||
|
||
( 1.3.6.1.1.6.2.11 NAME 'pcimRuleUsage'
|
||
DESC 'This attribute is a free-form sting providing
|
||
guidelines on how this policy should be used.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 27]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The pcimRulePriority attribute is a non-negative integer that is used
|
||
to prioritize this pcimRule relative to other pcimRules. A larger
|
||
value indicates a higher priority. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.12 NAME 'pcimRulePriority'
|
||
DESC 'A non-negative integer for prioritizing this
|
||
pcimRule relative to other pcimRules. A larger
|
||
value indicates a higher priority.'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note: if the value of the pcimRulePriority field is 0, then it SHOULD
|
||
be treated as "don't care". On the other hand, if the value is
|
||
negative, then it SHOULD be treated as an error and Administrators
|
||
SHOULD treat this rule as being disabled.
|
||
|
||
The pcimRuleMandatory attribute is a Boolean attribute that, if TRUE,
|
||
indicates that for this policy rule, the evaluation of its conditions
|
||
and execution of its actions (if the condition is satisfied) is
|
||
required. If it is FALSE, then the evaluation of its conditions and
|
||
execution of its actions (if the condition is satisfied) is not
|
||
required. This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.13 NAME 'pcimRuleMandatory'
|
||
DESC 'If TRUE, indicates that for this policy rule, the
|
||
evaluation of its conditions and execution of its
|
||
actions (if the condition is satisfied) is required.'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The pcimRuleSequencedActions attribute is an integer enumeration that
|
||
is used to indicate that the ordering of actions defined by the
|
||
pcimActionOrder attribute is either mandatory(value=1),
|
||
recommended(value=2), or dontCare(value=3). It is defined as
|
||
follows:
|
||
|
||
( 1.3.6.1.1.6.2.14 NAME 'pcimRuleSequencedActions'
|
||
DESC 'An integer enumeration indicating that the ordering of
|
||
actions defined by the pcimActionOrder attribute is
|
||
mandatory(1), recommended(2), or dontCare(3).'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 28]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note: if the value of pcimRulesSequencedActions field is not one of
|
||
these three values, then Administrators SHOULD treat this rule as
|
||
being disabled.
|
||
|
||
The pcimRoles attribute represents the policyRoles property of [1].
|
||
Each value of this attribute represents a role-combination, which is
|
||
a string of the form:
|
||
<RoleName>[&&<RoleName>]* where the individual role names appear
|
||
in alphabetical order according to the collating sequence for UCS-2.
|
||
This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.15 NAME 'pcimRoles'
|
||
DESC 'Each value of this attribute represents a role-
|
||
combination.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
)
|
||
|
||
Note: if the value of the pcimRoles attribute does not conform to the
|
||
format "<RoleName>[&&<RoleName>]*" (see Section 6.3.7 of [1]), then
|
||
this attribute is malformed and its policy rule SHOULD be treated as
|
||
being disabled.
|
||
|
||
The two subclasses of the pcimRule class are defined as follows.
|
||
First, the pcimRuleAuxClass is an auxiliary class for representing
|
||
the "If Condition then Action" semantics associated with a policy
|
||
rule. Its class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.6 NAME 'pcimRuleAuxClass'
|
||
DESC 'An auxiliary class for representing the "If Condition
|
||
then Action" semantics associated with a policy rule.'
|
||
SUP pcimRule
|
||
AUXILIARY
|
||
)
|
||
|
||
The pcimRuleInstance is a structural class for representing the "If
|
||
Condition then Action" semantics associated with a policy rule. Its
|
||
class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.7 NAME 'pcimRuleInstance'
|
||
DESC 'A structural class for representing the "If Condition
|
||
then Action" semantics associated with a policy rule.'
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 29]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
SUP pcimRule
|
||
STRUCTURAL
|
||
)
|
||
|
||
A DIT content rule could be written to enable an instance of
|
||
pcimRuleInstance to have attached to it either references to one or
|
||
more policy conditions (using pcimConditionAuxClass) or references to
|
||
one or more policy actions (using pcimActionAuxClass). This would be
|
||
used to formalize the semantics of the PolicyRule class [1]. Since
|
||
these semantics do not include specifying any properties of the
|
||
PolicyRule class, the content rule would not need to specify any
|
||
attributes.
|
||
|
||
Similarly, three separate DIT structure rules could be written, each
|
||
of which would refer to a specific name form that identified one of
|
||
its three possible naming attributes (i.e., pcimRuleName, cn, and
|
||
orderedCIMKeys). This structure rule SHOULD include a
|
||
superiorStructureRule (see Note 2 at the beginning of section 5).
|
||
The three name forms referenced by the three structure rules would
|
||
each define one of the three naming attributes.
|
||
|
||
5.4. The Class pcimRuleConditionAssociation
|
||
|
||
This class contains attributes to represent the properties of the
|
||
PCIM's PolicyConditionInPolicyRule association. Instances of this
|
||
class are related to an instance of pcimRule via DIT containment.
|
||
The policy conditions themselves are represented by auxiliary
|
||
subclasses of the auxiliary class pcimConditionAuxClass. These
|
||
auxiliary classes are attached directly to instances of
|
||
pcimRuleConditionAssociation for rule-specific policy conditions.
|
||
For a reusable policy condition, the policyCondition auxiliary
|
||
subclass is attached to an instance of the class pcimPolicyInstance
|
||
(which is presumably associated with a pcimRepository by DIT
|
||
containment), and the policyConditionDN attribute (of this class) is
|
||
used to reference the reusable policyCondition instance.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.8 NAME 'pcimRuleConditionAssociation'
|
||
DESC 'This class contains attributes characterizing the
|
||
relationship between a policy rule and one of its
|
||
policy conditions.'
|
||
SUP pcimPolicy
|
||
MUST ( pcimConditionGroupNumber $ pcimConditionNegated )
|
||
MAY ( pcimConditionName $ pcimConditionDN )
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 30]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The attributes of this class are defined as follows.
|
||
|
||
The pcimConditionGroupNumber attribute is a non-negative integer. It
|
||
is used to identify the group to which the condition referenced by
|
||
this association is assigned. This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.16
|
||
NAME 'pcimConditionGroupNumber'
|
||
DESC 'The number of the group to which a policy condition
|
||
belongs. This is used to form the DNF or CNF
|
||
expression associated with a policy rule.'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note that this number is non-negative. A negative value for this
|
||
attribute is invalid, and any policy rule that refers to an invalid
|
||
entry SHOULD be treated as being disabled.
|
||
|
||
The pcimConditionNegated attribute is a Boolean attribute that
|
||
indicates whether this policy condition is to be negated or not. If
|
||
it is TRUE (FALSE), it indicates that a policy condition IS (IS NOT)
|
||
negated in the DNF or CNF expression associated with a policy rule.
|
||
This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.17
|
||
NAME 'pcimConditionNegated'
|
||
DESC 'If TRUE (FALSE), it indicates that a policy condition
|
||
IS (IS NOT) negated in the DNF or CNF expression
|
||
associated with a policy rule.'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The pcimConditionName is a user-friendly name for identifying this
|
||
policy condition, and may be used as a naming attribute if desired.
|
||
This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.18
|
||
NAME 'pcimConditionName'
|
||
DESC 'A user-friendly name for a policy condition.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 31]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The pcimConditionDN attribute is a DN that references an instance of
|
||
a reusable policy condition. This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.19
|
||
NAME 'pcimConditionDN'
|
||
DESC 'A DN that references an instance of a reusable policy
|
||
condition.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
A DIT content rule could be written to enable an instance of
|
||
pcimRuleConditionAssociation to have attached to it an instance of
|
||
the auxiliary class pcimConditionAuxClass, or one of its subclasses.
|
||
This would be used to formalize the semantics of the
|
||
PolicyConditionInPolicyRule association. Specifically, this would be
|
||
used to represent a rule-specific policy condition [1].
|
||
Similarly, three separate DIT structure rules could be written. Each
|
||
of these DIT structure rules would refer to a specific name form that
|
||
defined two important semantics. First, each name form would
|
||
identify one of the three possible naming attributes (i.e.,
|
||
pcimConditionName, cn, and orderedCIMKeys) for the
|
||
pcimRuleConditionAssociation object class. Second, each name form
|
||
would require that an instance of the pcimRuleConditionAssociation
|
||
class have as its superior an instance of the pcimRule class. This
|
||
structure rule SHOULD also include a superiorStructureRule (see Note
|
||
2 at the beginning of section 5).
|
||
|
||
5.5. The Class pcimRuleValidityAssociation
|
||
|
||
The policyRuleValidityPeriod aggregation is mapped to the PCLS
|
||
pcimRuleValidityAssociation class. This class represents the
|
||
scheduled activation and deactivation of a policy rule by binding the
|
||
definition of times that the policy is active to the policy rule
|
||
itself. The "scheduled" times are either identified through an
|
||
attached auxiliary class pcimTPCAuxClass, or are referenced through
|
||
its pcimTimePeriodConditionDN attribute.
|
||
|
||
This class is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.1.9 NAME 'pcimRuleValidityAssociation'
|
||
DESC 'This defines the scheduled activation or deactivation
|
||
of a policy rule.'
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 32]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
SUP pcimPolicy
|
||
STRUCTURAL
|
||
MAY ( pcimValidityConditionName $ pcimTimePeriodConditionDN )
|
||
)
|
||
|
||
The attributes of this class are defined as follows:
|
||
|
||
The pcimValidityConditionName attribute is used to define a
|
||
user-friendly name of this condition, and may be used as a naming
|
||
attribute if desired. This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.20
|
||
NAME 'pcimValidityConditionName'
|
||
DESC 'A user-friendly name for identifying an instance of
|
||
a pcimRuleValidityAssociation entry.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The pcimTimePeriodConditionDN attribute is a DN that references a
|
||
reusable time period condition. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.21
|
||
NAME 'pcimTimePeriodConditionDN'
|
||
DESC 'A reference to a reusable policy time period
|
||
condition.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
A DIT content rule could be written to enable an instance of
|
||
pcimRuleValidityAssociation to have attached to it an instance of the
|
||
auxiliary class pcimTPCAuxClass, or one of its subclasses. This
|
||
would be used to formalize the semantics of the
|
||
PolicyRuleValidityPeriod aggregation [1].
|
||
|
||
Similarly, three separate DIT structure rules could be written. Each
|
||
of these DIT structure rules would refer to a specific name form that
|
||
defined two important semantics. First, each name form would
|
||
identify one of the three possible naming attributes (i.e.,
|
||
pcimValidityConditionName, cn, and orderedCIMKeys) for the
|
||
pcimRuleValidityAssociation object class. Second, each name form
|
||
would require that an instance of the pcimRuleValidityAssociation
|
||
class have as its superior an instance of the pcimRule class. This
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 33]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
structure rule SHOULD also include a superiorStructureRule (see Note
|
||
2 at the beginning of section 5).
|
||
|
||
5.6. The Class pcimRuleActionAssociation
|
||
|
||
This class contains an attribute to represent the one property of the
|
||
PCIM PolicyActionInPolicyRule association, ActionOrder. This
|
||
property is used to specify an order for executing the actions
|
||
associated with a policy rule. Instances of this class are related
|
||
to an instance of pcimRule via DIT containment. The actions
|
||
themselves are represented by auxiliary subclasses of the auxiliary
|
||
class pcimActionAuxClass.
|
||
|
||
These auxiliary classes are attached directly to instances of
|
||
pcimRuleActionAssociation for rule-specific policy actions. For a
|
||
reusable policy action, the pcimAction auxiliary subclass is attached
|
||
to an instance of the class pcimPolicyInstance (which is presumably
|
||
associated with a pcimRepository by DIT containment), and the
|
||
pcimActionDN attribute (of this class) is used to reference the
|
||
reusable pcimCondition instance.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.10 NAME 'pcimRuleActionAssociation'
|
||
DESC 'This class contains attributes characterizing the
|
||
relationship between a policy rule and one of its
|
||
policy actions.'
|
||
SUP pcimPolicy
|
||
MUST ( pcimActionOrder )
|
||
MAY ( pcimActionName $ pcimActionDN )
|
||
)
|
||
|
||
The pcimActionName attribute is used to define a user-friendly name
|
||
of this action, and may be used as a naming attribute if desired.
|
||
This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.22
|
||
NAME 'pcimActionName'
|
||
DESC 'A user-friendly name for a policy action.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 34]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The pcimActionOrder attribute is an unsigned integer that is used to
|
||
indicate the relative position of an action in a sequence of actions
|
||
that are associated with a given policy rule. When this number is
|
||
positive, it indicates a place in the sequence of actions to be
|
||
performed, with smaller values indicating earlier positions in the
|
||
sequence. If the value is zero, then this indicates that the order
|
||
is irrelevant. Note that if two or more actions have the same
|
||
non-zero value, they may be performed in any order as long as they
|
||
are each performed in the correct place in the overall sequence of
|
||
actions. This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.23
|
||
NAME 'pcimActionOrder'
|
||
DESC 'An integer indicating the relative order of an action
|
||
in the context of a policy rule.'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note: if the value of the pcimActionOrder field is negative, then it
|
||
SHOULD be treated as an error and any policy rule that refers to such
|
||
an entry SHOULD be treated as being disabled.
|
||
|
||
The pcimActionDN attribute is a DN that references a reusable policy
|
||
action. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.24
|
||
NAME 'pcimActionDN'
|
||
DESC 'A DN that references a reusable policy action.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
A DIT content rule could be written to enable an instance of
|
||
pcimRuleActionAssociation to have attached to it an instance of the
|
||
auxiliary class pcimActionAuxClass, or one of its subclasses. This
|
||
would be used to formalize the semantics of the
|
||
PolicyActionInPolicyRule association. Specifically, this would be
|
||
used to represent a rule-specific policy action [1].
|
||
|
||
Similarly, three separate DIT structure rules could be written. Each
|
||
of these DIT structure rules would refer to a specific name form that
|
||
defined two important semantics. First, each name form would
|
||
identify one of the three possible naming attributes (i.e.,
|
||
pcimActionName, cn, and orderedCIMKeys) for the
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 35]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
pcimRuleActionAssociation object class. Second, each name form would
|
||
require that an instance of the pcimRuleActionAssociation class have
|
||
as its superior an instance of the pcimRule class. This structure
|
||
rule should also include a superiorStructureRule (see Note 2 at the
|
||
beginning of section 5).
|
||
|
||
5.7. The Auxiliary Class pcimConditionAuxClass
|
||
|
||
The purpose of a policy condition is to determine whether or not the
|
||
set of actions (contained in the pcimRule that the condition applies
|
||
to) should be executed or not. This class defines the basic
|
||
organizational semantics of a policy condition, as specified in [1].
|
||
Subclasses of this auxiliary class can be attached to instances of
|
||
three other classes in the PCLS. When a subclass of this class is
|
||
attached to an instance of pcimRuleConditionAssociation, or to an
|
||
instance of pcimRule, it represents a rule-specific policy condition.
|
||
When a subclass of this class is attached to an instance of
|
||
pcimPolicyInstance, it represents a reusable policy condition.
|
||
|
||
Since all of the classes to which subclasses of this auxiliary class
|
||
may be attached are derived from the pcimPolicy class, the attributes
|
||
of pcimPolicy will already be defined for the entries to which these
|
||
subclasses attach. Thus, this class is derived directly from "top".
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.11 NAME 'pcimConditionAuxClass'
|
||
DESC 'A class representing a condition to be evaluated in
|
||
conjunction with a policy rule.'
|
||
SUP top
|
||
AUXILIARY
|
||
)
|
||
|
||
5.8. The Auxiliary Class pcimTPCAuxClass
|
||
|
||
The PCIM defines a time period class, PolicyTimePeriodCondition, to
|
||
provide a means of representing the time periods during which a
|
||
policy rule is valid, i.e., active. It also defines an aggregation,
|
||
PolicyRuleValidityPeriod, so that time periods can be associated with
|
||
a PolicyRule. The LDAP mapping also provides two classes, one for
|
||
the time condition itself, and one for the aggregation.
|
||
|
||
In the PCIM, the time period class is named
|
||
PolicyTimePeriodCondition. However, the resulting name of the
|
||
auxiliary class in this mapping (pcimTimePeriodConditionAuxClass)
|
||
exceeds the length of a name that some directories can store.
|
||
Therefore, the name has been shortened to pcimTPCAuxClass.
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 36]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.12 NAME 'pcimTPCAuxClass'
|
||
DESC 'This provides the capability of enabling or disabling
|
||
a policy rule according to a predetermined schedule.'
|
||
SUP pcimConditionAuxClass
|
||
AUXILIARY
|
||
MAY ( pcimTPCTime $ pcimTPCMonthOfYearMask $
|
||
pcimTPCDayOfMonthMask $ pcimTPCDayOfWeekMask $
|
||
pcimTPCTimeOfDayMask $ pcimTPCLocalOrUtcTime )
|
||
)
|
||
|
||
The attributes of the pcimTPCAuxClass are defined as follows.
|
||
|
||
The pcimTPCTime attribute represents the time period that a policy
|
||
rule is enabled for. This attribute is defined as a string in [1]
|
||
with a special format which defines a time period with a starting
|
||
date and an ending date separated by a forward slash ("/"), as
|
||
follows:
|
||
|
||
yyyymmddThhmmss/yyyymmddThhmmss
|
||
|
||
where the first date and time may be replaced with the string
|
||
"THISANDPRIOR" or the second date and time may be replaced with the
|
||
string "THISANDFUTURE". This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.25
|
||
NAME 'pcimTPCTime'
|
||
DESC 'The start and end times on which a policy rule is
|
||
valid.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The value of this attribute SHOULD be checked against its defined
|
||
format ("yyyymmddThhmmss/yyyymmddThhmmss", where the first and second
|
||
date strings may be replaced with the strings "THISANDPRIOR" and
|
||
"THISANDFUTURE"). If the value of this attribute does not conform to
|
||
this syntax, then this SHOULD be considered an error and the policy
|
||
rule SHOULD be treated as being disabled.
|
||
|
||
The next four attributes (pcimTPCMonthOfYearMask,
|
||
pcimTPCDayOfMonthMask, pcimTPCDayOfWeekMask, and
|
||
pcimTPCTimeOfDayMask) are all defined as octet strings in [1].
|
||
However, the semantics of each of these attributes are contained in
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 37]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
bit strings of various fixed lengths. Therefore, the PCLS uses a
|
||
syntax of Bit String to represent each of them. The definition of
|
||
these four attributes are as follows.
|
||
|
||
The pcimTPCMonthOfYearMask attribute defines a 12-bit mask
|
||
identifying the months of the year in which a policy rule is valid.
|
||
The format is a bit string of length 12, representing the months of
|
||
the year from January through December. The definition of this
|
||
attribute is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.26
|
||
NAME 'pcimTPCMonthOfYearMask'
|
||
DESC 'This identifies the valid months of the year for a
|
||
policy rule using a 12-bit string that represents the
|
||
months of the year from January through December.'
|
||
EQUALITY bitStringMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The value of this attribute SHOULD be checked against its defined
|
||
format. If the value of this attribute does not conform to this
|
||
syntax, then this SHOULD be considered an error and the policy rule
|
||
SHOULD be treated as being disabled.
|
||
|
||
The pcimTPCMonthOfDayMask attribute defines a mask identifying the
|
||
days of the month on which a policy rule is valid. The format is a
|
||
bit string of length 62. The first 31 positions represent the days
|
||
of the month in ascending order, from day 1 to day 31. The next 31
|
||
positions represent the days of the month in descending order, from
|
||
the last day to the day 31 days from the end. The definition of this
|
||
attribute is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.27
|
||
NAME 'pcimTPCDayOfMonthMask'
|
||
DESC 'This identifies the valid days of the month for a
|
||
policy rule using a 62-bit string. The first 31
|
||
positions represent the days of the month in ascending
|
||
order, and the next 31 positions represent the days of
|
||
the month in descending order.'
|
||
EQUALITY bitStringMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 38]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The value of this attribute SHOULD be checked against its defined
|
||
format. If the value of this attribute does not conform to this
|
||
syntax, then this SHOULD be considered an error and the policy rule
|
||
SHOULD be treated as being disabled.
|
||
|
||
The pcimTPCDayOfWeekMask attribute defines a mask identifying the
|
||
days of the week on which a policy rule is valid. The format is a
|
||
bit string of length 7, representing the days of the week from Sunday
|
||
through Saturday. The definition of this attribute is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.28
|
||
NAME 'pcimTPCDayOfWeekMask'
|
||
DESC 'This identifies the valid days of the week for a
|
||
policy rule using a 7-bit string. This represents
|
||
the days of the week from Sunday through Saturday.'
|
||
EQUALITY bitStringMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The value of this attribute SHOULD be checked against its defined
|
||
format. If the value of this attribute does not conform to this
|
||
syntax, then this SHOULD be considered an error and the policy rule
|
||
SHOULD be treated as being disabled.
|
||
|
||
The pcimTPCTimeOfDayMask attribute defines the range of times at
|
||
which a policy rule is valid. If the second time is earlier than the
|
||
first, then the interval spans midnight. The format of the string is
|
||
Thhmmss/Thhmmss. The definition of this attribute is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.29
|
||
NAME 'pcimTPCTimeOfDayMask'
|
||
DESC 'This identifies the valid range of times for a policy
|
||
using the format Thhmmss/Thhmmss.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
The value of this attribute SHOULD be checked against its defined
|
||
format. If the value of this attribute does not conform to this
|
||
syntax, then this SHOULD be considered an error and the policy rule
|
||
SHOULD be treated as being disabled.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 39]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
Finally, the pcimTPCLocalOrUtcTime attribute is used to choose
|
||
between local or UTC time representation. This is mapped as a simple
|
||
integer syntax, with the value of 1 representing local time and the
|
||
value of 2 representing UTC time. The definition of this attribute
|
||
is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.30
|
||
NAME 'pcimTPCLocalOrUtcTime'
|
||
DESC 'This defines whether the times in this instance
|
||
represent local (value=1) times or UTC (value=2)
|
||
times.'
|
||
EQUALITY integerMatch
|
||
ORDERING integerOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
Note: if the value of the pcimTPCLocalOrUtcTime is not 1 or 2, then
|
||
this SHOULD be considered an error and the policy rule SHOULD be
|
||
disabled. If the attribute is not present at all, then all times are
|
||
interpreted as if it were present with the value 2, that is, UTC
|
||
time.
|
||
|
||
5.9. The Auxiliary Class pcimConditionVendorAuxClass
|
||
|
||
This class provides a general extension mechanism for representing
|
||
policy conditions that have not been modeled with specific
|
||
properties. Instead, its two properties are used to define the
|
||
content and format of the condition, as explained below. This class
|
||
is intended for vendor-specific extensions that are not amenable to
|
||
using pcimCondition; standardized extensions SHOULD NOT use this
|
||
class.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.13 NAME 'pcimConditionVendorAuxClass'
|
||
DESC 'A class that defines a registered means to describe a
|
||
policy condition.'
|
||
SUP pcimConditionAuxClass
|
||
AUXILIARY
|
||
MAY ( pcimVendorConstraintData $
|
||
pcimVendorConstraintEncoding )
|
||
)
|
||
|
||
The pcimVendorConstraintData attribute is a multi-valued attribute.
|
||
It provides a general mechanism for representing policy conditions
|
||
that have not been modeled as specific attributes. This information
|
||
is encoded in a set of octet strings. The format of the octet
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 40]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
strings is identified by the OID stored in the
|
||
pcimVendorConstraintEncoding attribute. This attribute is defined as
|
||
follows:
|
||
|
||
( 1.3.6.1.1.6.2.31
|
||
NAME 'pcimVendorConstraintData'
|
||
DESC 'Mechanism for representing constraints that have not
|
||
been modeled as specific attributes. Their format is
|
||
identified by the OID stored in the attribute
|
||
pcimVendorConstraintEncoding.'
|
||
EQUALITY octetStringMatch
|
||
ORDERING octetStringOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
||
)
|
||
|
||
The pcimVendorConstraintEncoding attribute is used to identify the
|
||
format and semantics for the pcimVendorConstraintData attribute.
|
||
This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.32
|
||
NAME 'pcimVendorConstraintEncoding'
|
||
DESC 'An OID identifying the format and semantics for the
|
||
pcimVendorConstraintData for this instance.'
|
||
EQUALITY objectIdentifierMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
5.10. The Auxiliary Class pcimActionAuxClass
|
||
|
||
The purpose of a policy action is to execute one or more operations
|
||
that will affect network traffic and/or systems, devices, etc. in
|
||
order to achieve a desired policy state. This class is used to
|
||
represent an action to be performed as a result of a policy rule
|
||
whose condition clause was satisfied.
|
||
|
||
Subclasses of this auxiliary class can be attached to instances of
|
||
three other classes in the PCLS. When a subclass of this class is
|
||
attached to an instance of pcimRuleActionAssociation, or to an
|
||
instance of pcimRule, it represents a rule-specific policy action.
|
||
When a subclass of this class is attached to an instance of
|
||
pcimPolicyInstance, it represents a reusable policy action.
|
||
|
||
Since all of the classes to which subclasses of this auxiliary class
|
||
may be attached are derived from the pcimPolicy class, the attributes
|
||
of the pcimPolicy class will already be defined for the entries to
|
||
which these subclasses attach. Thus, this class is derived directly
|
||
from "top".
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 41]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.14 NAME 'pcimActionAuxClass'
|
||
DESC 'A class representing an action to be performed as a
|
||
result of a policy rule.'
|
||
SUP top
|
||
AUXILIARY
|
||
)
|
||
|
||
5.11. The Auxiliary Class pcimActionVendorAuxClass
|
||
|
||
The purpose of this class is to provide a general extension mechanism
|
||
for representing policy actions that have not been modeled with
|
||
specific properties. Instead, its two properties are used to define
|
||
the content and format of the action, as explained below.
|
||
|
||
As its name suggests, this class is intended for vendor-specific
|
||
extensions that are not amenable to using the standard pcimAction
|
||
class. Standardized extensions SHOULD NOT use this class.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.15 NAME 'pcimActionVendorAuxClass'
|
||
DESC 'A class that defines a registered means to describe a
|
||
policy action.'
|
||
SUP pcimActionAuxClass
|
||
AUXILIARY
|
||
MAY ( pcimVendorActionData $ pcimVendorActionEncoding )
|
||
)
|
||
|
||
The pcimVendorActionData attribute is a multi-valued attribute. It
|
||
provides a general mechanism for representing policy actions that
|
||
have not been modeled as specific attributes. This information is
|
||
encoded in a set of octet strings. The format of the octet strings
|
||
is identified by the OID stored in the pcimVendorActionEncoding
|
||
attribute. This attribute is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.33
|
||
NAME 'pcimVendorActionData'
|
||
DESC ' Mechanism for representing policy actions that have
|
||
not been modeled as specific attributes. Their
|
||
format is identified by the OID stored in the
|
||
attribute pcimVendorActionEncoding.'
|
||
EQUALITY octetStringMatch
|
||
ORDERING octetStringOrderingMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
||
)
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 42]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The pcimVendorActionEncoding attribute is used to identify the format
|
||
and semantics for the pcimVendorActionData attribute. This attribute
|
||
is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.34
|
||
NAME 'pcimVendorActionEncoding'
|
||
DESC 'An OID identifying the format and semantics for the
|
||
pcimVendorActionData attribute of this instance.'
|
||
EQUALITY objectIdentifierMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
5.12. The Class pcimPolicyInstance
|
||
|
||
This class is not defined in the PCIM. Its role is to serve as a
|
||
structural class to which auxiliary classes representing policy
|
||
information are attached when the information is reusable. For
|
||
auxiliary classes representing policy conditions and policy actions,
|
||
there are alternative structural classes that may be used. See
|
||
Section 4.4 for a complete discussion of reusable policy conditions
|
||
and actions, and of the role that this class plays in how they are
|
||
represented.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.16 NAME 'pcimPolicyInstance'
|
||
DESC 'A structural class to which aux classes containing
|
||
reusable policy information can be attached.'
|
||
SUP pcimPolicy
|
||
MAY ( pcimPolicyInstanceName )
|
||
)
|
||
|
||
The pcimPolicyInstanceName attribute is used to define a
|
||
user-friendly name of this class, and may be used as a naming
|
||
attribute if desired. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.35 NAME 'pcimPolicyInstanceName'
|
||
DESC 'The user-friendly name of this policy instance.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 43]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
A DIT content rule could be written to enable an instance of
|
||
pcimPolicyInstance to have attached to it either instances of one or
|
||
more of the auxiliary object classes pcimConditionAuxClass and
|
||
pcimActionAuxClass. Since these semantics do not include specifying
|
||
any properties, the content rule would not need to specify any
|
||
attributes. Note that other content rules could be defined to enable
|
||
other policy-related auxiliary classes to be attached to
|
||
pcimPolicyInstance.
|
||
|
||
Similarly, three separate DIT structure rules could be written. Each
|
||
of these DIT structure rules would refer to a specific name form that
|
||
defined two important semantics. First, each name form would
|
||
identify one of the three possible naming attributes (i.e.,
|
||
pcimPolicyInstanceName, cn, and orderedCIMKeys) for this object
|
||
class. Second, each name form would require that an instance of the
|
||
pcimPolicyInstance class have as its superior an instance of the
|
||
pcimRepository class. This structure rule SHOULD also include a
|
||
superiorStructureRule (see Note 2 at the beginning of section 5).
|
||
|
||
5.13. The Auxiliary Class pcimElementAuxClass
|
||
|
||
This class introduces no additional attributes, beyond those defined
|
||
in the class pcimPolicy from which it is derived. Its role is to
|
||
"tag" an instance of a class defined outside the realm of policy
|
||
information as represented by PCIM as being nevertheless relevant to
|
||
a policy specification. This tagging can potentially take place at
|
||
two levels:
|
||
|
||
- Every instance to which pcimElementAuxClass is attached becomes
|
||
an instance of the class pcimPolicy, since pcimElementAuxClass is
|
||
a subclass of pcimPolicy. Searching for object
|
||
class="pcimPolicy" will return the instance. (As noted earlier,
|
||
this approach does NOT work for some directory implementations.
|
||
To accommodate these implementations, policy-related entries
|
||
SHOULD be tagged with the pcimKeyword "POLICY".)
|
||
|
||
- With the pcimKeywords attribute that it inherits from pcimPolicy,
|
||
an instance to which pcimElementAuxClass is attached can be
|
||
tagged as being relevant to a particular type or category of
|
||
policy information, using standard keywords,
|
||
administrator-defined keywords, or both.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.17 NAME 'pcimElementAuxClass'
|
||
DESC 'An auxiliary class used to tag instances of classes
|
||
defined outside the realm of policy as relevant to a
|
||
particular policy specification.'
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 44]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
SUP pcimPolicy
|
||
AUXILIARY
|
||
)
|
||
|
||
5.14. The Three Policy Repository Classes
|
||
|
||
These classes provide a container for reusable policy information,
|
||
such as reusable policy conditions and/or reusable policy actions.
|
||
This document is concerned with mapping just the properties that
|
||
appear in these classes. Conceptually, this may be thought of as a
|
||
special location in the DIT where policy information may reside.
|
||
Since pcimRepository is derived from the class dlm1AdminDomain
|
||
defined in reference [6], this specification has a normative
|
||
dependency on that element of reference [6] (as well as on its entire
|
||
derivation hierarchy, which also appears in reference [6]). To
|
||
maximize flexibility, the pcimRepository class is defined as
|
||
abstract. A subclass pcimRepositoryAuxClass provides for auxiliary
|
||
attachment to another entry, while a structural subclass
|
||
pcimRepositoryInstance is available to represent a policy repository
|
||
as a standalone entry.
|
||
|
||
The definition for the pcimRepository class is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.18 NAME 'pcimRepository'
|
||
DESC 'A container for reusable policy information.'
|
||
SUP dlm1AdminDomain
|
||
ABSTRACT
|
||
MAY ( pcimRepositoryName )
|
||
)
|
||
|
||
The pcimRepositoryName attribute is used to define a user-friendly
|
||
name of this class, and may be used as a naming attribute if desired.
|
||
It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.2.36 NAME 'pcimRepositoryName'
|
||
DESC 'The user-friendly name of this policy repository.'
|
||
EQUALITY caseIgnoreMatch
|
||
ORDERING caseIgnoreOrderingMatch
|
||
SUBSTR caseIgnoreSubstringsMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
|
||
SINGLE-VALUE
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 45]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The two subclasses of pcimRepository are defined as follows. First,
|
||
the pcimRepositoryAuxClass is an auxiliary class that can be used to
|
||
aggregate reusable policy information. It is defined as follows:
|
||
|
||
( 1.3.6.1.1.6.1.19 NAME 'pcimRepositoryAuxClass'
|
||
DESC 'An auxiliary class that can be used to aggregate
|
||
reusable policy information.'
|
||
SUP pcimRepository
|
||
AUXILIARY
|
||
)
|
||
|
||
In cases where structural classes are needed instead of an auxiliary
|
||
class, the pcimRepositoryInstance class is a structural class that
|
||
can be used to aggregate reusable policy information. It is defined
|
||
as follows:
|
||
|
||
( 1.3.6.1.1.6.1.20 NAME 'pcimRepositoryInstance'
|
||
DESC 'A structural class that can be used to aggregate
|
||
reusable policy information.'
|
||
SUP pcimRepository
|
||
STRUCTURAL
|
||
)
|
||
|
||
Three separate DIT structure rules could be written for this class.
|
||
Each of these DIT structure rules would refer to a specific name form
|
||
that enabled an instance of the pcimRepository class to be named
|
||
under any superior using one of the three possible naming attributes
|
||
(i.e., pcimRepositoryName, cn, and orderedCIMKeys). This structure
|
||
rule SHOULD also include a superiorStructureRule (see Note 2 at the
|
||
beginning of section 5).
|
||
|
||
5.15. The Auxiliary Class pcimSubtreesPtrAuxClass
|
||
|
||
This auxiliary class provides a single, multi-valued attribute that
|
||
references a set of objects that are at the root of DIT subtrees
|
||
containing policy-related information. By attaching this attribute
|
||
to instances of various other classes, a policy administrator has a
|
||
flexible way of providing an entry point into the directory that
|
||
allows a client to locate and retrieve the policy information
|
||
relevant to it.
|
||
|
||
It is intended that these entries are placed in the DIT such that
|
||
well-known DNs can be used to reference a well-known structural entry
|
||
that has the pcimSubtreesPtrAuxClass attached to it. In effect, this
|
||
defines a set of entry points. Each of these entry points can
|
||
contain and/or reference all related policy entries for
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 46]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
any well-known policy domains. The pcimSubtreesPtrAuxClass functions
|
||
as a tag to identify portions of the DIT that contain policy
|
||
information.
|
||
|
||
This object does not provide the semantic linkages between individual
|
||
policy objects, such as those between a policy group and the policy
|
||
rules that belong to it. Its only role is to enable efficient bulk
|
||
retrieval of policy-related objects, as described in Section 4.5.
|
||
|
||
Once the objects have been retrieved, a directory client can
|
||
determine the semantic linkages by following references contained in
|
||
multi-valued attributes, such as pcimRulesAuxContainedSet.
|
||
|
||
Since policy-related objects will often be included in the DIT
|
||
subtree beneath an object to which this auxiliary class is attached,
|
||
a client SHOULD request the policy-related objects from the subtree
|
||
under the object with these references at the same time that it
|
||
requests the references themselves.
|
||
|
||
Since clients are expected to behave in this way, the policy
|
||
administrator SHOULD make sure that this subtree does not contain so
|
||
many objects unrelated to policy that an initial search done in this
|
||
way results in a performance problem. The pcimSubtreesPtrAuxClass
|
||
SHOULD NOT be attached to the partition root for a large directory
|
||
partition containing a relatively few number of policy-related
|
||
objects along with a large number of objects unrelated to policy
|
||
(again, "policy" here refers to the PCIM, not the X.501, definition
|
||
and use of "policy"). A better approach would be to introduce a
|
||
container object immediately below the partition root, attach
|
||
pcimSubtreesPtrAuxClass to this container object, and then place all
|
||
of the policy-related objects in that subtree.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.21 NAME 'pcimSubtreesPtrAuxClass'
|
||
DESC 'An auxiliary class providing DN references to roots of
|
||
DIT subtrees containing policy-related objects.'
|
||
SUP top
|
||
AUXILIARY
|
||
MAY ( pcimSubtreesAuxContainedSet )
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 47]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The attribute pcimSubtreesAuxContainedSet provides an unordered set
|
||
of DN references to instances of one or more objects under which
|
||
policy-related information is present. The objects referenced may or
|
||
may not themselves contain policy-related information. The attribute
|
||
definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.37
|
||
NAME 'pcimSubtreesAuxContainedSet'
|
||
DESC 'DNs of objects that serve as roots for DIT subtrees
|
||
containing policy-related objects.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
)
|
||
|
||
Note that the cn attribute does NOT need to be defined for this
|
||
class. This is because an auxiliary class is used as a means to
|
||
collect common attributes and treat them as properties of an object.
|
||
A good analogy is a #include file, except that since an auxiliary
|
||
class is a class, all the benefits of a class (e.g., inheritance) can
|
||
be applied to an auxiliary class.
|
||
|
||
5.16. The Auxiliary Class pcimGroupContainmentAuxClass
|
||
|
||
This auxiliary class provides a single, multi-valued attribute that
|
||
references a set of pcimGroups. By attaching this attribute to
|
||
instances of various other classes, a policy administrator has a
|
||
flexible way of providing an entry point into the directory that
|
||
allows a client to locate and retrieve the pcimGroups relevant to it.
|
||
|
||
As is the case with pcimRules, a policy administrator might have
|
||
several different references to a pcimGroup in the overall directory
|
||
structure. The pcimGroupContainmentAuxClass is the mechanism that
|
||
makes it possible for the policy administrator to define all these
|
||
different references.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.22 NAME 'pcimGroupContainmentAuxClass'
|
||
DESC 'An auxiliary class used to bind pcimGroups to an
|
||
appropriate container object.'
|
||
SUP top
|
||
AUXILIARY
|
||
MAY ( pcimGroupsAuxContainedSet )
|
||
)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 48]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The attribute pcimGroupsAuxContainedSet provides an unordered set of
|
||
references to instances of one or more pcimGroups associated with the
|
||
instance of a structural class to which this attribute has been
|
||
appended.
|
||
|
||
The attribute definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.38
|
||
NAME 'pcimGroupsAuxContainedSet'
|
||
DESC 'DNs of pcimGroups associated in some way with the
|
||
instance to which this attribute has been appended.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
)
|
||
|
||
Note that the cn attribute does NOT have to be defined for this class
|
||
for the same reasons as those given for the pcimSubtreesPtrAuxClass
|
||
in section 5.15.
|
||
|
||
5.17. The Auxiliary Class pcimRuleContainmentAuxClass
|
||
|
||
This auxiliary class provides a single, multi-valued attribute that
|
||
references a set of pcimRules. By attaching this attribute to
|
||
instances of various other classes, a policy administrator has a
|
||
flexible way of providing an entry point into the directory that
|
||
allows a client to locate and retrieve the pcimRules relevant to it.
|
||
|
||
A policy administrator might have several different references to a
|
||
pcimRule in the overall directory structure. For example, there
|
||
might be references to all pcimRules for traffic originating in a
|
||
particular subnet from a directory entry that represents that subnet.
|
||
At the same time, there might be references to all pcimRules related
|
||
to a particular DiffServ setting from an instance of a pcimGroup
|
||
explicitly introduced as a container for DiffServ-related pcimRules.
|
||
The pcimRuleContainmentAuxClass is the mechanism that makes it
|
||
possible for the policy administrator to define all these separate
|
||
references.
|
||
|
||
The class definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.1.23 NAME 'pcimRuleContainmentAuxClass'
|
||
DESC 'An auxiliary class used to bind pcimRules to an
|
||
appropriate container object.'
|
||
SUP top
|
||
AUXILIARY
|
||
MAY ( pcimRulesAuxContainedSet )
|
||
)
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 49]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The attribute pcimRulesAuxContainedSet provides an unordered set of
|
||
references to one or more instances of pcimRules associated with the
|
||
instance of a structural class to which this attribute has been
|
||
appended. The attribute definition is as follows:
|
||
|
||
( 1.3.6.1.1.6.2.39
|
||
NAME 'pcimRulesAuxContainedSet'
|
||
DESC 'DNs of pcimRules associated in some way with the
|
||
instance to which this attribute has been appended.'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
)
|
||
|
||
The cn attribute does NOT have to be defined for this class for the
|
||
same reasons as those given for the pcimSubtreesPtrAuxClass in
|
||
section 5.15.
|
||
|
||
6. Extending the Classes Defined in This Document
|
||
|
||
The following subsections provide general guidance on how to create a
|
||
domain-specific schema derived from this document, discuss how the
|
||
vendor classes in the PCLS should be used, and explain how
|
||
policyTimePeriodConditions are related to other policy conditions.
|
||
|
||
6.1. Subclassing pcimConditionAuxClass and pcimActionAuxClass
|
||
|
||
In Section 4.4, there is a discussion of how, by representing policy
|
||
conditions and policy actions as auxiliary classes in a schema, the
|
||
flexibility is retained to instantiate a particular condition or
|
||
action as either rule-specific or reusable. This flexibility is lost
|
||
if a condition or action class is defined as structural rather than
|
||
auxiliary. For standardized schemata, this document specifies that
|
||
domain-specific information MUST be expressed in auxiliary subclasses
|
||
of pcimConditionAuxClass and pcimActionAuxClass. It is RECOMMENDED
|
||
that non-standardized schemata follow this practice as well.
|
||
|
||
6.2. Using the Vendor Policy Attributes
|
||
|
||
As discussed Section 5.9, the attributes pcimVendorConstraintData and
|
||
pcimVendorConstraintEncoding are included in the
|
||
pcimConditionVendorAuxClass to provide a mechanism for representing
|
||
vendor-specific policy conditions that are not amenable to being
|
||
represented with the pcimCondition class (or its subclasses). The
|
||
attributes pcimVendorActionData and pcimVendorActionEncoding in the
|
||
pcimActionVendorAuxClass class play the same role with respect to
|
||
actions. This enables interoperability between different vendors who
|
||
could not otherwise interoperate.
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 50]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
For example, imagine a network composed of access devices from vendor
|
||
A, edge and core devices from vendor B, and a policy server from
|
||
vendor C. It is desirable for this policy server to be able to
|
||
configure and manage all of the devices from vendors A and B.
|
||
Unfortunately, these devices will in general have little in common
|
||
(e.g., different mechanisms, different ways for controlling those
|
||
mechanisms, different operating systems, different commands, and so
|
||
forth). The extension conditions provide a way for vendor-specific
|
||
commands to be encoded as octet strings, so that a single policy
|
||
server can commonly manage devices from different vendors.
|
||
|
||
6.3. Using Time Validity Periods
|
||
|
||
Time validity periods are defined as an auxiliary subclass of
|
||
pcimConditionAuxClass, called pcimTPCAuxClass. This is to allow
|
||
their inclusion in the AND/OR condition definitions for a pcimRule.
|
||
Care should be taken not to subclass pcimTPCAuxClass to add
|
||
domain-specific condition properties.
|
||
|
||
For example, it would be incorrect to add IPsec- or QoS-specific
|
||
condition properties to the pcimTPCAuxClass class, just because IPsec
|
||
or QoS includes time in its condition definition. The correct
|
||
subclassing would be to create IPsec or QoS-specific subclasses of
|
||
pcimConditionAuxClass and then combine instances of these
|
||
domain-specific condition classes with the appropriate validity
|
||
period criteria. This is accomplished using the AND/OR association
|
||
capabilities for policy conditions in pcimRules.
|
||
|
||
7. Security Considerations
|
||
|
||
The PCLS, presented in this document, provides a mapping of the
|
||
object-oriented model for describing policy information (PCIM) into a
|
||
data model that forms the basic framework for describing the
|
||
structure of policy data, in the case where the policy repository
|
||
takes the form of an LDAP-accessible directory.
|
||
|
||
PCLS is not intended to represent any particular system design or
|
||
implementation. PCLS is not directly useable in a real world system,
|
||
without the discipline-specific mappings that are works in progress
|
||
in the Policy Framework Working Group of the IETF.
|
||
|
||
These other derivative documents, which use PCIM and its
|
||
discipline-specific extensions as a base, will need to convey more
|
||
specific security considerations (refer to RFC 3060 for more
|
||
information.)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 51]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
The reason that PCLS, as defined here, is not representative of any
|
||
real-world system, is that its object classes were designed to be
|
||
independent of any specific discipline, or policy domain. For
|
||
example, DiffServ and IPsec represent two different policy domains.
|
||
Each document that extends PCIM to one of these domains will derive
|
||
subclasses from the classes and relationships defined in PCIM, in
|
||
order to represent extensions of a generic model to cover specific
|
||
technical domains.
|
||
|
||
PCIM-derived documents will thus subclass the PCIM classes into
|
||
classes specific to each technical policy domain (QOS, IPsec, etc.),
|
||
which will, in turn, be mapped, to directory-specific schemata
|
||
consistent with the PCLS documented here.
|
||
|
||
Even though discipline-specific security requirements are not
|
||
appropriate for PCLS, specific security requirements MUST be defined
|
||
for each operational real-world application of PCIM. Just as there
|
||
will be a wide range of operational, real-world systems using PCIM,
|
||
there will also be a wide range of security requirements for these
|
||
systems. Some operational, real-world systems that are deployed
|
||
using PCLS may have extensive security requirements that impact
|
||
nearly all object classes utilized by such a system, while other
|
||
systems' security requirements might have very little impact.
|
||
|
||
The derivative documents, discussed above, will create the context
|
||
for applying operational, real-world, system-level security
|
||
requirements against the various models that derive from PCIM,
|
||
consistent with PCLS.
|
||
|
||
In some real-world scenarios, the values associated with certain
|
||
properties, within certain instantiated object classes, may represent
|
||
information associated with scarce, and/or costly (and therefore
|
||
valuable) resources. It may be the case that these values must not
|
||
be disclosed to, or manipulated by, unauthorized parties.
|
||
|
||
Since this document forms the basis for the representation of a
|
||
policy data model in a specific format (an LDAP-accessible
|
||
directory), it is herein appropriate to reference the data
|
||
model-specific tools and mechanisms that are available for achieving
|
||
the authentication and authorization implicit in a requirement that
|
||
restricts read and/or read- write access to these values stored in a
|
||
directory.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 52]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
General LDAP security considerations apply, as documented in RFC 3377
|
||
[2]. LDAP-specific authentication and authorization tools and
|
||
mechanisms are found in the following standards track documents,
|
||
which are appropriate for application to the management of security
|
||
applied to policy data models stored in an LDAP-accessible directory:
|
||
|
||
- RFC 2829 (Authentication Methods for LDAP)
|
||
- RFC 2830 (Lightweight Directory Access Protocol (v3): Extension
|
||
for Transport Layer Security)
|
||
|
||
Any identified security requirements that are not dealt with in the
|
||
appropriate discipline-specific information model documents, or in
|
||
this document, MUST be dealt with in the derivative data model
|
||
documents which are specific to each discipline.
|
||
|
||
8. IANA Considerations
|
||
|
||
Refer to RFC 3383, "Internet Assigned Numbers Authority (IANA)
|
||
Considerations for the Lightweight Directory Access Protocol (LDAP)"
|
||
[16].
|
||
|
||
8.1. Object Identifiers
|
||
|
||
The IANA has registered an LDAP Object Identifier for use in this
|
||
technical specification according to the following template:
|
||
|
||
Subject: Request for LDAP OID Registration
|
||
Person & email address to contact for further information:
|
||
Bob Moore (remoore@us.ibm.com)
|
||
Specification: RFC 3703
|
||
Author/Change Controller: IESG
|
||
Comments:
|
||
The assigned OID will be used as a base for identifying
|
||
a number of schema elements defined in this document.
|
||
|
||
IANA has assigned an OID of 1.3.6.1.1.6 with the name of pcimSchema
|
||
to this registration as recorded in the following registry:
|
||
|
||
http://www.iana.org/assignments/smi-numbers
|
||
|
||
8.2. Object Identifier Descriptors
|
||
|
||
The IANA has registered the LDAP Descriptors used in this technical
|
||
specification as detailed in the following template:
|
||
|
||
Subject: Request for LDAP Descriptor Registration Update
|
||
Descriptor (short name): see comment
|
||
Object Identifier: see comment
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 53]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
Person & email address to contact for further information:
|
||
Bob Moore (remoore@us.ibm.com)
|
||
Usage: see comment
|
||
Specification: RFC 3703
|
||
Author/Change Controller: IESG
|
||
Comments:
|
||
|
||
The following descriptors have been added:
|
||
|
||
NAME Type OID
|
||
-------------- ---- ------------
|
||
pcimPolicy O 1.3.6.1.1.6.1.1
|
||
pcimGroup O 1.3.6.1.1.6.1.2
|
||
pcimGroupAuxClass O 1.3.6.1.1.6.1.3
|
||
pcimGroupInstance O 1.3.6.1.1.6.1.4
|
||
pcimRule O 1.3.6.1.1.6.1.5
|
||
pcimRuleAuxClass O 1.3.6.1.1.6.1.6
|
||
pcimRuleInstance O 1.3.6.1.1.6.1.7
|
||
pcimRuleConditionAssociation O 1.3.6.1.1.6.1.8
|
||
pcimRuleValidityAssociation O 1.3.6.1.1.6.1.9
|
||
pcimRuleActionAssociation O 1.3.6.1.1.6.1.10
|
||
pcimConditionAuxClass O 1.3.6.1.1.6.1.11
|
||
pcimTPCAuxClass O 1.3.6.1.1.6.1.12
|
||
pcimConditionVendorAuxClass O 1.3.6.1.1.6.1.13
|
||
pcimActionAuxClass O 1.3.6.1.1.6.1.14
|
||
pcimActionVendorAuxClass O 1.3.6.1.1.6.1.15
|
||
pcimPolicyInstance O 1.3.6.1.1.6.1.16
|
||
pcimElementAuxClass O 1.3.6.1.1.6.1.17
|
||
pcimRepository O 1.3.6.1.1.6.1.18
|
||
pcimRepositoryAuxClass O 1.3.6.1.1.6.1.19
|
||
pcimRepositoryInstance O 1.3.6.1.1.6.1.20
|
||
pcimSubtreesPtrAuxClass O 1.3.6.1.1.6.1.21
|
||
pcimGroupContainmentAuxClass O 1.3.6.1.1.6.1.22
|
||
pcimRuleContainmentAuxClass O 1.3.6.1.1.6.1.23
|
||
pcimKeywords A 1.3.6.1.1.6.2.3
|
||
pcimGroupName A 1.3.6.1.1.6.2.4
|
||
pcimRuleName A 1.3.6.1.1.6.2.5
|
||
pcimRuleEnabled A 1.3.6.1.1.6.2.6
|
||
pcimRuleConditionListType A 1.3.6.1.1.6.2.7
|
||
pcimRuleConditionList A 1.3.6.1.1.6.2.8
|
||
pcimRuleActionList A 1.3.6.1.1.6.2.9
|
||
pcimRuleValidityPeriodList A 1.3.6.1.1.6.2.10
|
||
pcimRuleUsage A 1.3.6.1.1.6.2.11
|
||
pcimRulePriority A 1.3.6.1.1.6.2.12
|
||
pcimRuleMandatory A 1.3.6.1.1.6.2.13
|
||
pcimRuleSequencedActions A 1.3.6.1.1.6.2.14
|
||
pcimRoles A 1.3.6.1.1.6.2.15
|
||
pcimConditionGroupNumber A 1.3.6.1.1.6.2.16
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 54]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
NAME Type OID
|
||
-------------- ---- ------------
|
||
pcimConditionNegated A 1.3.6.1.1.6.2.17
|
||
pcimConditionName A 1.3.6.1.1.6.2.18
|
||
pcimConditionDN A 1.3.6.1.1.6.2.19
|
||
pcimValidityConditionName A 1.3.6.1.1.6.2.20
|
||
pcimTimePeriodConditionDN A 1.3.6.1.1.6.2.21
|
||
pcimActionName A 1.3.6.1.1.6.2.22
|
||
pcimActionOrder A 1.3.6.1.1.6.2.23
|
||
pcimActionDN A 1.3.6.1.1.6.2.24
|
||
pcimTPCTime A 1.3.6.1.1.6.2.25
|
||
pcimTPCMonthOfYearMask A 1.3.6.1.1.6.2.26
|
||
pcimTPCDayOfMonthMask A 1.3.6.1.1.6.2.27
|
||
pcimTPCDayOfWeekMask A 1.3.6.1.1.6.2.28
|
||
pcimTPCTimeOfDayMask A 1.3.6.1.1.6.2.29
|
||
pcimTPCLocalOrUtcTime A 1.3.6.1.1.6.2.30
|
||
pcimVendorConstraintData A 1.3.6.1.1.6.2.31
|
||
pcimVendorConstraintEncoding A 1.3.6.1.1.6.2.32
|
||
pcimVendorActionData A 1.3.6.1.1.6.2.33
|
||
pcimVendorActionEncoding A 1.3.6.1.1.6.2.34
|
||
pcimPolicyInstanceName A 1.3.6.1.1.6.2.35
|
||
pcimRepositoryName A 1.3.6.1.1.6.2.36
|
||
pcimSubtreesAuxContainedSet A 1.3.6.1.1.6.2.37
|
||
pcimGroupsAuxContainedSet A 1.3.6.1.1.6.2.38
|
||
pcimRulesAuxContainedSet A 1.3.6.1.1.6.2.39
|
||
|
||
where Type A is Attribute, Type O is ObjectClass
|
||
|
||
These assignments are recorded in the following registry:
|
||
|
||
http://www.iana.org/assignments/ldap-parameters
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 55]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
9. Acknowledgments
|
||
|
||
We would like to thank Kurt Zeilenga, Roland Hedburg, and Steven Legg
|
||
for doing a review of this document and making many helpful
|
||
suggestions and corrections.
|
||
|
||
Several of the policy classes in this model first appeared in early
|
||
IETF drafts on IPsec policy and QoS policy. The authors of these
|
||
drafts were Partha Bhattacharya, Rob Adams, William Dixon, Roy
|
||
Pereira, Raju Rajan, Jean-Christophe Martin, Sanjay Kamat, Michael
|
||
See, Rajiv Chaudhury, Dinesh Verma, George Powers, and Raj Yavatkar.
|
||
|
||
This document is closely aligned with the work being done in the
|
||
Distributed Management Task Force (DMTF) Policy and Networks working
|
||
groups. We would especially like to thank Lee Rafalow, Glenn Waters,
|
||
David Black, Michael Richardson, Mark Stevens, David Jones, Hugh
|
||
Mahon, Yoram Snir, and Yoram Ramberg for their helpful comments.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 56]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
10. Appendix: Constructing the Value of orderedCIMKeys
|
||
|
||
This appendix is non-normative, and is included in this document as a
|
||
guide to implementers that wish to exchange information between CIM
|
||
schemata and LDAP schemata.
|
||
|
||
Within a CIM name space, the naming is basically flat; all instances
|
||
are identified by the values of their key properties, and each
|
||
combination of key values must be unique. A limited form of
|
||
hierarchical naming is available in CIM, however, by using weak
|
||
associations: since a weak association involves propagation of key
|
||
properties and their values from the superior object to the
|
||
subordinate one, the subordinate object can be thought of as being
|
||
named "under" the superior object. Once they have been propagated,
|
||
however, propagated key properties and their values function in
|
||
exactly the same way that native key properties and their values do
|
||
in identifying a CIM instance.
|
||
|
||
The CIM mapping document [6] introduces a special attribute,
|
||
orderedCIMKeys, to help map from the CIM_ManagedElement class to the
|
||
LDAP class dlm1ManagedElement. This attribute SHOULD only be used in
|
||
an environment where it is necessary to map between an
|
||
LDAP-accessible directory and a CIM repository. For an LDAP
|
||
environment, other LDAP naming attributes are defined (i.e., cn and a
|
||
class-specific naming attribute) that SHOULD be used instead.
|
||
|
||
The role of orderedCIMKeys is to represent the information necessary
|
||
to correlate an entry in an LDAP-accessible directory with an
|
||
instance in a CIM name space. Depending on how naming of CIM-related
|
||
entries is handled in an LDAP directory, the value of orderedCIMKeys
|
||
represents one of two things:
|
||
|
||
- If the DIT hierarchy does not mirror the "weakness hierarchy" of
|
||
the CIM name space, then orderedCIMKeys represents all the
|
||
keys of the CIM instance, both native and propagated.
|
||
- If the DIT hierarchy does mirror the "weakness hierarchy" of the
|
||
CIM name space, then orderedCIMKeys may represent either all the
|
||
keys of the instance, or only the native keys.
|
||
|
||
Regardless of which of these alternatives is taken, the syntax of
|
||
orderedCIMKeys is the same - a DirectoryString of the form
|
||
|
||
<className>.<key>=<value>[,<key>=<value>]*
|
||
|
||
where the <key>=<value> elements are ordered by the names of the key
|
||
properties, according to the collating sequence for US ASCII. The
|
||
only spaces allowed in the DirectoryString are those that fall within
|
||
a <value> element. As with alphabetizing the key properties, the
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 57]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
goal of suppressing the spaces is once again to make the results of
|
||
string operations predictable.
|
||
|
||
The values of the <value> elements are derived from the various CIM
|
||
syntaxes according to a grammar specified in [5].
|
||
|
||
11. References
|
||
|
||
11.1. Normative References
|
||
|
||
[1] Moore, B., Ellesson,E., Strassner, J. and A. Westerinen "Policy
|
||
Core Information Model -- Version 1 Specification", RFC 3060,
|
||
February 2001.
|
||
|
||
[2] Hodges, J. and R. Morgan, "Lightweight Directory Access
|
||
Protocol (v3): Technical Specification", RFC 3377, September
|
||
2002.
|
||
|
||
[3] Wahl, M., Coulbeck, A., Howes,T. and S. Kille, "Lightweight
|
||
Directory Access Protocol (v3): Attribute Syntax Definitions",
|
||
RFC 2252, December 1997.
|
||
|
||
[4] The Directory: Models. ITU-T Recommendation X.501, 2001.
|
||
|
||
[5] Distributed Management Task Force, Inc., "Common Information
|
||
Model (CIM) Specification", Version 2.2, June 14, 1999. This
|
||
document is available on the following DMTF web page:
|
||
http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf
|
||
|
||
[6] Distributed Management Task Force, Inc., "DMTF LDAP Schema for
|
||
the CIM v2.5 Core Information Model", April 15, 2002. This
|
||
document is available on the following DMTF web page:
|
||
http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf
|
||
|
||
[7] Wahl, M., "A Summary of the X.500(96) User Schema for use with
|
||
LDAPv3", RFC 2256, December 1997.
|
||
|
||
[8] The Directory: Selected Attribute Types. ITU-T Recommendation
|
||
X.520, 2001.
|
||
|
||
[9] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
|
||
(LDAP): Additional Matching Rules", RFC 3698, February 2004.
|
||
|
||
[10] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||
Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 58]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
11.2. Informative References
|
||
|
||
[11] Hovey, R. and S. Bradner, "The Organizations Involved in the
|
||
IETF Standards Process", BCP 11, RFC 2028, October 1996.
|
||
|
||
[12] Strassner, J., policy architecture BOF presentation, 42nd IETF
|
||
Meeting, Chicago, Illinois, October 1998. Minutes of this BOF
|
||
are available at the following location:
|
||
http://www.ietf.org/proceedings/98aug/index.html.
|
||
|
||
[13] Yavatkar, R., Guerin, R. and D. Pendarakis, "A Framework for
|
||
Policy-based Admission Control", RFC 2753, January 2000.
|
||
|
||
[14] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,
|
||
"Authentication Methods for LDAP", RFC 2829, May 2000
|
||
|
||
[15] Hodges, J., Morgan, R. and M. Wahl, "Lightweight Directory
|
||
Access Protocol (v3): Extension for Transport Layer Security",
|
||
RFC 2830, May 2000.
|
||
|
||
[16] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
|
||
Considerations for the Lightweight Directory Access Protocol
|
||
(LDAP)", BCP 64, RFC 3383, September 2002.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 59]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
12. Authors' Addresses
|
||
|
||
John Strassner
|
||
Intelliden Corporation
|
||
90 South Cascade Avenue
|
||
Colorado Springs, CO 80903
|
||
|
||
Phone: +1.719.785.0648
|
||
Fax: +1.719.785.0644
|
||
EMail: john.strassner@intelliden.com
|
||
|
||
|
||
Bob Moore
|
||
IBM Corporation
|
||
P. O. Box 12195, BRQA/B501/G206
|
||
3039 Cornwallis Rd.
|
||
Research Triangle Park, NC 27709-2195
|
||
|
||
Phone: +1 919-254-4436
|
||
Fax: +1 919-254-6243
|
||
EMail: remoore@us.ibm.com
|
||
|
||
|
||
Ryan Moats
|
||
Lemur Networks, Inc.
|
||
15621 Drexel Circle
|
||
Omaha, NE 68135
|
||
|
||
Phone: +1-402-894-9456
|
||
EMail: rmoats@lemurnetworks.net
|
||
|
||
|
||
Ed Ellesson
|
||
3026 Carriage Trail
|
||
Hillsborough, NC 27278
|
||
|
||
Phone: +1 919-644-3977
|
||
EMail: ellesson@mindspring.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 60]
|
||
|
||
RFC 3703 Policy Core LDAP Schema February 2004
|
||
|
||
|
||
13. Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2004). This document is subject
|
||
to the rights, licenses and restrictions contained in BCP 78 and
|
||
except as set forth therein, the authors retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
|
||
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
|
||
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
|
||
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
||
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed
|
||
to pertain to the implementation or use of the technology
|
||
described in this document or the extent to which any license
|
||
under such rights might or might not be available; nor does it
|
||
represent that it has made any independent effort to identify any
|
||
such rights. Information on the procedures with respect to
|
||
rights in RFC documents can be found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use
|
||
of such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository
|
||
at http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention
|
||
any copyrights, patents or patent applications, or other
|
||
proprietary rights that may cover technology that may be required
|
||
to implement this standard. Please address the information to the
|
||
IETF at ietf-ipr@ietf.org.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Strassner, et al. Standards Track [Page 61]
|
||
|