mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
633 lines
22 KiB
Plaintext
633 lines
22 KiB
Plaintext
|
||
Internet-Draft E. Stokes
|
||
LDAP Extensions WG D. Byrne
|
||
Intended Category: Informational IBM
|
||
Expires: 25 December 1999 B. Blakley
|
||
Dascom
|
||
P. Behera
|
||
Netscape
|
||
25 June 1999
|
||
|
||
Access Control Requirements for LDAP
|
||
<draft-ietf-ldapext-acl-reqts-02.txt>
|
||
|
||
STATUS OF THIS MEMO
|
||
|
||
This document is an Internet-Draft and is in full
|
||
conformance with all provisions of Section 10 of RFC2026.
|
||
|
||
Internet-Drafts are working documents of the Internet
|
||
Engineering Task Force (IETF), its areas, and its working
|
||
groups. Note that other groups may also distribute
|
||
working documents as Internet-Drafts. Internet-Drafts are
|
||
draft documents valid for a maximum of six months and may
|
||
be updated, replaced, or obsoleted by other documents at
|
||
any time. It is inappropriate to use Internet- Drafts as
|
||
reference material or to cite them other than as "work in
|
||
progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||
|
||
The list of Internet-Draft Shadow Directories can be
|
||
accessed at http://www.ietf.org/shadow.html.
|
||
|
||
Comments and suggestions on this document are encouraged.
|
||
Comments on this document should be sent to the LDAPEXT
|
||
working group discussion list:
|
||
|
||
ietf-ldapext@netscape.com
|
||
|
||
COPYRIGHT NOTICE
|
||
Copyright (C) The Internet Society (1997). All Rights
|
||
Reserved.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 1]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
ABSTRACT
|
||
|
||
This document describes the fundamental requirements of
|
||
an access control list (ACL) model for the Lightweight
|
||
Directory Application Protocol (LDAP) directory service.
|
||
It is intended to be a gathering place for access control
|
||
requirements needed to provide authorized access to and
|
||
interoperability between directories. The RFC 2119
|
||
terminology is used in this document.
|
||
|
||
|
||
|
||
1. Introduction
|
||
|
||
The ability to securely access (replicate and distribute)
|
||
directory information throughout the network is necessary
|
||
for successful deployment. LDAP's acceptance as an
|
||
access protocol for directory information is driving the
|
||
need to provide an access control model definition for
|
||
LDAP directory content among servers within an enterprise
|
||
and the Internet. Currently LDAP does not define an
|
||
access control model, but is needed to ensure consistent
|
||
secure access across heterogeneous LDAP implementations.
|
||
The requirements for access control are critical to the
|
||
successful deployment and acceptance of LDAP in the
|
||
market place.
|
||
|
||
The RFC 2119 terminology is used in this document.
|
||
|
||
|
||
2. Objectives
|
||
|
||
The major objective is to provide a simple, but secure,
|
||
highly efficient access control model for LDAP while also
|
||
providing the appropriate flexibility to meet the needs
|
||
of both the Internet and enterprise environments and
|
||
policies.
|
||
|
||
This generally leads to several general requirements that
|
||
are discussed below.
|
||
|
||
|
||
3. Requirements
|
||
|
||
This section is divided into several areas of
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 2]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
requirements: general, semantics/policy, usability, and
|
||
nested groups (an unresolved issue). The requirements
|
||
are not in any priority order. Examples and explanatory
|
||
text is provided where deemed necessary. Usability is
|
||
perhaps the one set of requirements that is generally
|
||
overlooked, but must be addressed to provide a secure
|
||
system. Usability is a security issue, not just a nice
|
||
design goal and requirement. If it is impossible to set
|
||
and manage a policy for a secure situation that a human
|
||
can understand, then what was set up will probably be
|
||
non-secure. We all need to think of usability as a
|
||
functional security requirement.
|
||
|
||
3.1 General
|
||
|
||
G1. Model SHOULD be general enough to support
|
||
extensibility to add desirable features in the future.
|
||
|
||
G2. When in doubt, safer is better, especially when
|
||
establishing defaults.
|
||
|
||
G3. ACL administration SHOULD be part of the LDAP
|
||
protocol. Access control information MUST be an LDAP
|
||
attribute.
|
||
|
||
G4. Object reuse protection SHOULD be provided and MUST
|
||
NOT inhibit implementation of object reuse. The directory
|
||
SHOULD support policy controlling the re-creation of
|
||
deleted DNs, particularly in cases where they are re-
|
||
created for the purpose of assigning them to a subject
|
||
other than the owner of the deleted DN.
|
||
|
||
3.2 Semantics / Policy
|
||
|
||
S1. Omitted as redundant; see U8.
|
||
|
||
S2. More specific policies must override less specific
|
||
ones (e.g. individual user entry in ACL SHOULD take
|
||
precedence over group entry) for the evaluation of an
|
||
ACL.
|
||
|
||
S3. Multiple policies of equal specificity SHOULD be
|
||
combined in some easily-understood way (e.g. union or
|
||
intersection). This is best understood by example.
|
||
Suppose user A belongs to 3 groups and those 3 groups are
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 3]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
listed on the ACL. Also suppose that the permissions for
|
||
each of those groups are not identical. Each group is of
|
||
equal specificity (e.g. each group is listed on the ACL)
|
||
and the policy for granting user A access (given the
|
||
example) SHOULD be combined in some easily understood
|
||
way, such as by intersection or union. For example, an
|
||
intersection policy here may yield a more limited access
|
||
for user A than a union policy.
|
||
|
||
S4. Newly created directory entries SHOULD be subject to
|
||
a secure default policy.
|
||
|
||
S5. Access policy SHOULD NOT be expressed in terms of
|
||
attributes which the directory administrator or his
|
||
organization cannot administer (e.g. groups whose
|
||
membership is administered by another organization).
|
||
|
||
S6. Access policy SHOULD NOT be expressed in terms of
|
||
attributes which are easily forged (e.g. IP addresses).
|
||
There may be valid reasons for enabling access based on
|
||
attributes that are easily forged and the
|
||
behavior/implications of doing that should be documented.
|
||
|
||
S7. Humans (including administrators) SHOULD NOT be
|
||
required to manage access policy on the basis of
|
||
attributes which are not "human-readable" (e.g. IP
|
||
addresses).
|
||
|
||
S8. It MUST be possible to deny a subject the right to
|
||
invoke a directory operation. The system SHOULD NOT
|
||
require a specific implementation of denial (e.g.
|
||
explicit denial, implicit denial).
|
||
|
||
S9. The system MUST be able (semantically) to support
|
||
either default-grant or default-deny semantics (not
|
||
simultaneously).
|
||
|
||
S10. The system MUST be able to support either union
|
||
semantics or intersection semantics for aggregate
|
||
subjects (not simultaneously).
|
||
|
||
S11. Absence of policy SHOULD be interpretable as grant
|
||
or deny. Deny takes precedence over grant among entries
|
||
of equal specificity.
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 4]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
S12. ACL policy resolution MUST NOT depend on the order
|
||
of entries in the ACL.
|
||
|
||
S13. Rights management MUST have no side effects.
|
||
Granting a subject one right to an object MUST NOT
|
||
implicitly grant the same or any other subject a
|
||
different right to the same object. Granting a privilege
|
||
attribute to one subject MUST NOT implicitly grant the
|
||
same privilege attribute to any other subject. Granting
|
||
a privilege attribute to one subject MUST NOT implicitly
|
||
grant a different privilege attribute to the same or any
|
||
other subject. Definition: An ACL's "scope" is defined
|
||
as the set of directory objects governed by the policy it
|
||
defines; this set of objects is a sub-tree of the
|
||
directory. Changing the policy asserted by an ACL (by
|
||
changing one or more of its entries) MUST NOT implicitly
|
||
change the policy governed by an ACL in a different
|
||
scope.
|
||
|
||
S14. It SHOULD be possible to apply a single policy to
|
||
multiple directory entries, even if those entries are in
|
||
different subtrees. Applying a single policy to multiple
|
||
directory entries SHOULD NOT require creation and storage
|
||
of multiple copies of the policy data. The system SHOULD
|
||
NOT require a specific implementation (e.g. nested
|
||
groups, named ACLs) of support for policy sharing.
|
||
|
||
3.3 Usability (Manageability)
|
||
|
||
U1. When in doubt, simpler is better, both at the
|
||
interface and in the implementation.
|
||
|
||
U2. Subjects MUST be drawn from the "natural" LDAP
|
||
namespace; they should be DNs.
|
||
|
||
U3. It SHOULD NOT be possible via ACL administration to
|
||
lock all users, including all administrators, out of the
|
||
directory.
|
||
|
||
U4. Administrators SHOULD NOT be required to evaluate
|
||
arbitrary Boolean predicates in order to create or
|
||
understand policy.
|
||
|
||
U5. Administrators SHOULD be able to administer access
|
||
to directories and their attributes based on their
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 5]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
sensitivity, without having to understand the semantics
|
||
of individual schema elements and their attributes (see
|
||
U9).
|
||
|
||
U6. Management of access to resources in an entire
|
||
subtree SHOULD require only one ACL (at the subtree
|
||
root). Note that this makes access control based
|
||
explicitly on attribute types very hard, unless you
|
||
constrain the types of entries in subtrees. For example,
|
||
another attribute is added to an entry. That attribute
|
||
may fall outside the grouping covered by the ACL and
|
||
hence require additional administration where the desired
|
||
affect is indeed a different ACL. Access control
|
||
information specified in one administrative area MUST NOT
|
||
have jurisdiction in another area. You SHOULD NOT be
|
||
able to control access to the aliased entry in the alias.
|
||
You SHOULD be able to control access to the alias name.
|
||
|
||
U7. Override of subtree policy MUST be supported on a
|
||
per-directory-entry basis.
|
||
|
||
U8. Control of access to individual directory entry
|
||
attributes (not just the whole directory entry) MUST be
|
||
supported.
|
||
|
||
U9. Administrator MUST be able to coarsen access policy
|
||
granularity by grouping attributes with similar access
|
||
sensitivities.
|
||
|
||
U10. Control of access on a per-user granularity MUST be
|
||
supported.
|
||
|
||
U11. Administrator MUST be able to aggregate users (for
|
||
example, by assigning them to groups or roles) to
|
||
simplify administration.
|
||
|
||
U12. It MUST be possible to review "effective access" of
|
||
any user, group, or role to any entry's attributes. This
|
||
aids the administrator in setting the correct policy.
|
||
|
||
U13. A single administrator SHOULD be able to define
|
||
policy for the entire directory tree. An administrator
|
||
MUST be able to delegate policy administration for
|
||
specific subtrees to other users. This allows for the
|
||
partitioning of the entire directory tree for policy
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 6]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
administration, but still allows a single policy to be
|
||
defined for the entire tree independent of partitioning.
|
||
(Partition in this context means scope of
|
||
administration). An administrator MUST be able to create
|
||
new partitions at any point in the directory tree, and
|
||
MUST be able to merge a superior and subordinate
|
||
partition. An administrator MUST be able to configure
|
||
whether delegated access control information from
|
||
superior partitions is to be accepted or not.
|
||
|
||
U14. It MUST be possible to authorize users to traverse
|
||
directory structure even if they are not authorized to
|
||
examine or modify some traversed entries; it MUST also be
|
||
possible to prohibit this. The tree structure MUST be
|
||
able to be protected from view if so desired by the
|
||
administrator.
|
||
|
||
U15. It MUST be possible to create publicly readable
|
||
entries, which may be read even by unauthenticated
|
||
clients.
|
||
|
||
U16. The model for combining multiple access control
|
||
list entries referring to a single individual MUST be
|
||
easy to understand.
|
||
|
||
U17. Administrator MUST be able to determine where
|
||
inherited policy information comes from, that is, where
|
||
ACLs are located and which ACLs were applied. Where
|
||
inheritance of ACLs is applied, it must be able to be
|
||
shown how/where that new ACL is derived from.
|
||
|
||
U18. It SHOULD be possible for the administrator to
|
||
configure the access control system to permit users to
|
||
grant additional access control rights for entries which
|
||
they create.
|
||
|
||
|
||
4. Security Considerations
|
||
|
||
Access control is a security consideration. This
|
||
documents addresses the requirements.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 7]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
5. Glossary
|
||
|
||
This glossary is intended to aid the novice not versed in
|
||
depth about access control. It contains a list [2] of
|
||
terms and their definitions that are commonly used in
|
||
discussing access control.
|
||
|
||
Access control - The prevention of use of a resource by
|
||
unidentified and/or unauthorized entities in any other
|
||
that an authorized manner.
|
||
|
||
Access control list - A set of control attributes. It is
|
||
a list, associated with a security object or a group of
|
||
security objects. The list contains the names of
|
||
security subjects and the type of access that may be
|
||
granted.
|
||
|
||
Access control policy - A set of rules, part of a
|
||
security policy, by which human users, or their
|
||
representatives, are authenticated and by which access by
|
||
these users to applications and other services and
|
||
security objects is granted or denied.
|
||
|
||
Access context - The context, in terms of such variables
|
||
as location, time of day, level of security of the
|
||
underlying associations, etc., in which an access to a
|
||
security object is made.
|
||
|
||
Authorization - The granting of access to a security
|
||
object.
|
||
|
||
Authorization policy - A set of rules, part of an access
|
||
control policy, by which access by security subjects to
|
||
security objects is granted or denied. An authorization
|
||
policy may be defined in terms of access control lists,
|
||
capabilities, or attributes assigned to security
|
||
subjects, security objects, or both.
|
||
|
||
Control attributes - Attributes, associated with a
|
||
security object that, when matched against the privilege
|
||
attributes of a security subject, are used to grant or
|
||
deny access to the security object. An access control
|
||
list or list of rights or time of day range are examples
|
||
of control attributes.
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 8]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
Credentials - Data that serve to establish the claimed
|
||
identity of a security subject relative to a given
|
||
security domain.
|
||
|
||
Privilege attributes - Attributes, associated with a
|
||
security subject that, when matched against control
|
||
attributes of a security object, are used to grant or
|
||
deny access to that subject. Group and role memberships
|
||
are examples of privilege attributes.
|
||
|
||
Security attributes - A general term covering both
|
||
privilege attributes and control attributes. The use of
|
||
security attributes is defined by a security policy.
|
||
|
||
Security object - An entity in a passive role to which a
|
||
security policy applies.
|
||
|
||
Security policy - A general term covering both access
|
||
control policies and authorization policies.
|
||
|
||
Security subject - An entity in an active role to which a
|
||
security policy applies.
|
||
|
||
|
||
6. References
|
||
|
||
[1] Steve Kille, Tim Howes, M. Wahl, "Lightweight
|
||
Directory Access Protocol (v3)", RFC 2251, August 1997.
|
||
|
||
[2] ECMA, "Security in Open Systems: A Security
|
||
Framework" ECMA TR/46, July 1988
|
||
|
||
|
||
AUTHOR(S) ADDRESS
|
||
|
||
Bob Blakley Ellen Stokes
|
||
Dascom IBM
|
||
5515 Balcones Drive 11400 Burnet Rd
|
||
Austin, TX 78731 Austin, TX 78758
|
||
USA USA
|
||
mail-to: blakley@dascom.com mail-to: stokes@austin.ibm.com
|
||
phone: +1 512 458 4037 ext 5012 phone: +1 512 838 3725
|
||
fax: +1 512 458 2377 fax: +1 512 838 0156
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 9]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
Debbie Byrne Prasanta Behera
|
||
IBM Netscape
|
||
11400 Burnet Rd 501 Ellis Street
|
||
Austin, TX 78758 Mountain View, CA 94043
|
||
USA USA
|
||
mail-to: djbyrne@us.ibm.com mail-to: prasanta@netscape.com
|
||
phone: +1 512 838 1930 phone: +1 650 937 4948
|
||
fax: +1 512 838 8597 fax: +1 650 528-4164
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 10]
|
||
|
||
|
||
|
||
|
||
|
||
Internet-Draft ACI Requirements 25 June 1999
|
||
|
||
|
||
|
||
7. Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (1999).<2E> All Rights
|
||
Reserved.
|
||
|
||
This document and translations of it may be copied and
|
||
furnished to others, and derivative works that comment on or
|
||
otherwise explain it or assist in its implementation may be
|
||
prepared, copied, published and distributed, in whole or in
|
||
part, without restriction of any kind, provided that the
|
||
above copyright notice and this paragraph are included on
|
||
all such copies and derivative works.<2E> However, this
|
||
document itself may not be modified in any way, such as by
|
||
removing the copyright notice or references to the Internet
|
||
Society or other Internet organizations, except as needed
|
||
for the purpose of developing Internet standards in which
|
||
case the procedures for copyrights defined in the Internet
|
||
Standards process must be followed, or as required to
|
||
translate it into languages other than English.
|
||
|
||
The limited permissions granted above are perpetual and will
|
||
not be revoked by the Internet Society or its successors or
|
||
assigns.
|
||
|
||
This document and the information contained herein is
|
||
provided on an "AS IS" basis and THE INTERNET SOCIETY AND
|
||
THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
|
||
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
|
||
ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
|
||
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Stokes, etal Expires 25 December 1999 [Page 11]
|
||
|
||
|