mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-15 03:01:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
a3c49b8709
openldap/doc/drafts/draft-haripriya-dynamicgroup-xx.txt
Howard Chu a06e846d72 dyngroup-02
2007-08-26 11:22:44 +00:00

1401 lines
36 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Network Working Group S. Haripriya
Internet-Draft Jaimon. Jose, Ed.
Updates: 02 (if approved) Jim. Sermersheim
Intended status: Standards Track Novell, Inc.
Expires: July 9, 2007 January 5, 2007
LDAP: Dynamic Groups for LDAPv3
draft-haripriya-dynamicgroup-02
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 9, 2007.
Copyright Notice
Copyright (C) The Internet Society (2007).
Haripriya, et al. Expires July 9, 2007 [Page 1]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
Abstract
This document describes the requirements, semantics, schema elements,
and operations needed for a dynamic group feature in LDAP. A dynamic
group is defined here as a group object with a membership list of
distinguished names that is dynamically generated using LDAP search
criteria. The dynamic membership list may then be interrogated by
LDAP search and compare operations, and may also be used to find the
groups that an object is a member of. This feature eliminates a huge
amount of the administrative effort required today for maintaining
group memberships and role-based operations in large enterprises.
Table of Contents
1. Conventions used in this document . . . . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Requirements of a dynamic group feature . . . . . . . . . . . 6
4. Schema and Semantic Definitions for Dynamic Groups . . . . . . 7
4.1. Object Classes . . . . . . . . . . . . . . . . . . . . . . 7
4.1.1. dynamicGroup . . . . . . . . . . . . . . . . . . . . . 7
4.1.2. dynamicGroupOfUniqueNames . . . . . . . . . . . . . . 7
4.1.3. dynamicGroupAux . . . . . . . . . . . . . . . . . . . 7
4.1.4. dynamicGroupOfUniqueNamesAux . . . . . . . . . . . . . 7
4.2. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2.1. memberQueryURL . . . . . . . . . . . . . . . . . . . . 8
4.2.2. excludedMember . . . . . . . . . . . . . . . . . . . . 11
4.3. member . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4. uniqueMember . . . . . . . . . . . . . . . . . . . . . . . 11
4.5. dgIdentity . . . . . . . . . . . . . . . . . . . . . . . . 11
4.5.1. dgIdentity - Security implications . . . . . . . . . . 12
5. Advertisement of support for dynamic groups . . . . . . . . . 13
6. Dynamic Group Operations . . . . . . . . . . . . . . . . . . . 14
6.1. Existing Operations . . . . . . . . . . . . . . . . . . . 14
6.1.1. Access to resources in the directory . . . . . . . . . 14
6.1.2. Reading a dynamic group object . . . . . . . . . . . . 14
6.1.3. 'Is Member Of' functionality . . . . . . . . . . . . . 15
6.2. New Extensions . . . . . . . . . . . . . . . . . . . . . . 16
6.2.1. Managing the static members of a dynamic group . . . . 16
7. Performance Considerations . . . . . . . . . . . . . . . . . . 17
7.1. Caching of Dynamic Members . . . . . . . . . . . . . . . . 17
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
10. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 20
11. Normative References . . . . . . . . . . . . . . . . . . . . . 21
Appendix A. Example Values for memberQueryURL . . . . . . . . . . 22
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
Haripriya, et al. Expires July 9, 2007 [Page 2]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
Intellectual Property and Copyright Statements . . . . . . . . . . 25
Haripriya, et al. Expires July 9, 2007 [Page 3]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
Haripriya, et al. Expires July 9, 2007 [Page 4]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
2. Introduction
The LDAP schema described in [4] defines two object classes:
'groupOfNames', and 'groupOfUniqueNames', that hold a static list of
distinguished names in their 'member' or 'uniqueMember' attributes
respectively, and are typically used to describe a group of objects
for various functions. These grouping functions range from simple
group membership applications such as email distribution lists to
describing common authorization for a set of users The administration
and updating of these membership lists must be done by specifically
modifying the DN values in the member or uniqueMember attributes.
Thus, each time a change in membership happens, a process must exist
which adds or removes the particular entry's DN from the member
attribute. For example, consider an organization, where the access
to its facilities is controlled by membership in a directory group.
Assume that all employees in a department have been added to the
group that provides access to the required department facility. If
an employee moves from one department to another, the administrator
must remove the employee from one group and add him to another.
Similarly consider an organization that wants to provide access to
its facility, to both interns and employees on weekdays, but only to
employees on weekends. It would be effort-consuming to achieve this
with static groups.
"Dynamic groups" are like normal groups, but they let one specify
criteria to be used for evaluating membership to a group; the
membership of the group is determined dynamically by the directory
servers involved. This lets the group administrator define the
membership in terms of attributes, and let the DSAs worry about who
are the actual members. This solution is more scalable and reduces
administrative costs. This can also supplement static groups in LDAP
to provide flexibility to the user.
Haripriya, et al. Expires July 9, 2007 [Page 5]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
3. Requirements of a dynamic group feature
The following requirements SHOULD be met by a proposal for the
dynamic groups feature:
1. Creation and administration of dynamic groups should be done
using normal LDAP operations.
2. Applications must be able to use dynamic groups in the same way
that they are able to use static groups for listing members and
for membership evaluation.
3. Interrogation of a dynamic group's membership should be done
using normal LDAP operations, and should be consistent. This
means that all authorization identities with the same permission
to the membership attribute of a dynamic group (such as 'read')
should be presented with the same membership list.
Haripriya, et al. Expires July 9, 2007 [Page 6]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
4. Schema and Semantic Definitions for Dynamic Groups
The dynamic group classes are defined by the following schema
4.1. Object Classes
The following object classes MUST be supported, and their semantics
understood by the server, for it to support the dynamic groups
feature.
4.1.1. dynamicGroup
( <OID.TBD> NAME 'dynamicGroup' SUP groupOfNames STRUCTURAL MAY
(memberQueryURL $ excludedMember $ dgIdentity ))
This structural object class is used to create a dynamic group
object. It is derived from groupOfNames, which is defined in [4].
4.1.2. dynamicGroupOfUniqueNames
( <OID.TBD> NAME 'dynamicGroupOfUniqueNames' SUP groupOfUniqueNames
STRUCTURAL MAY (memberQueryURL $ excludedMember $ dgIdentity ))
This structural object class is used to create a dynamic group object
whose membership list is held in a uniqueMember attribute. It is
derived from groupOfUniqueNames, which is defined in [4].
4.1.3. dynamicGroupAux
( <OID.TBD> NAME 'dynamicGroupAux' SUP groupOfNames AUXILIARY MAY
(memberQueryURL $ excludedMember $ dgIdentity ))
This auxiliary object class is used to convert an existing object to
a dynamic group or to create an object of another object class but
with dynamic group capabilities. This is derived from groupOfNames
which is defined in [4].
4.1.4. dynamicGroupOfUniqueNamesAux
( <OID.TBD> NAME 'dynamicGroupOfUniqueNamesAux' SUP groupOfUniqueNames
AUXILIARY MAY (memberQueryURL $ excludedMember $ dgIdentity ))
This auxiliary object class is used to convert an existing object to
a dynamic group of unique names or to create an object of another
object class but with dynamic group capabilities. This is derived
from groupOfUniqueNames which is defined in [4].
Haripriya, et al. Expires July 9, 2007 [Page 7]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
4.2. Attributes
The following attribute names MUST be supported by the server.
4.2.1. memberQueryURL
This attribute describes the membership of the list using an LDAPURL
[3].
(<OID.TBD> NAME 'memberQueryURL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
The value of memberQueryURL is encoded as an LDAPURL [3]
Haripriya, et al. Expires July 9, 2007 [Page 8]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
The BNF from [3] is listed here for reference.
ldapurl = scheme COLON SLASH SLASH [host [COLON port]] [SLASH dn
[QUESTION [attributes] [QUESTION [scope] [QUESTION [filter] [QUESTION
extensions]]]]]
; <host> and <port> are defined
; in Sections 3.2.2 and 3.2.3
; of [RFC3986].
; <filter> is from Section 3 of
; [RFC4515], subject to the
; provisions of the
; "Percent-Encoding" section
; below.
scheme = "ldap"
dn = distinguishedName ; From Section 3 of [RFC4514],
; subject to the provisions of
; the "Percent-Encoding"
; section below.
attributes = attrdesc *(COMMA attrdesc)
attrdesc = selector *(COMMA selector)
selector = attributeSelector ; From Section 4.5.1 of
; [RFC4511], subject to the
; provisions of the
; "Percent-Encoding" section
; below.
scope = "base" / "one" / "sub"
extensions = extension *(COMMA extension)
extension = [EXCLAMATION] extype [EQUALS exvalue]
extype = oid ; From section 1.4 of [RFC4512].
exvalue = LDAPString ; From section 4.1.2 of
; [RFC4511], subject to the
; provisions of the
; "Percent-Encoding" section
; below.
EXCLAMATION = %x21 ; exclamation mark ("!")
SLASH = %x2F ; forward slash ("/")
COLON = %x3A ; colon (":")
QUESTION = %x3F ; question mark ("?")
For the purpose of evaluating dynamic members, the directory server
uses only the dn, scope, filter and extensions fields. All remaining
fields are ignored if specified. If other fields are specified, the
server SHALL ignore them and MAY omit them when presenting the value
to a client. The dn is used to specify the base dn from which to
start the search for dynamic members. The scope specifies the scope
with respect to the dn in which to search for dynamic members. The
filter specifies the criteria with which to select objects for
dynamic membership.
Haripriya, et al. Expires July 9, 2007 [Page 9]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
4.2.1.1. The x-chain extension
A new extension is defined for use of the memberQueryURL in dynamic
groups, named 'x-chain'. x-chain does not take a value. When x-chain
is present, the server must follow any search continuation references
to other servers while searching for dynamic members. When x-chain
is absent, the dynamic members computed will be only those that are
present on the server from which the search is made. A directory
server supporting the memberQueryURL MAY support the x-chain
extension, thus the x-chain extension could be critical or non-
critical as specified by the '!' prefix to the extension type.
4.2.1.2. Semantics of multiple values for memberQueryURL
The memberQueryURL MAY have multiple values, and in that case, the
members of the dynamic group will be the union of the members
computed using each individual URL value. This is useful in
specifying a group membership that is made up from subtrees rooted at
different base DNs, and possibly using different filters.
4.2.1.3. Condition of membership
An object O is a member of a dynamic group G if and only if
(( O is a value of the 'member' or 'uniqueMember' attribute of G)
OR
(( O is selected by the membership criteria specified in the
'memberQueryURL' attribute values of G)
AND
( O is not listed in the 'excludedMember' attribute of G) ))
If a member M of a dynamic group G happens to be a dynamic or a
static group, the static or dynamic members of M SHALL NOT be
considered as members of G. M is a member of G though.
The last condition is imposed because
o Recursively evaluating members of members may degrade the
performance of the server drastically.
o Looping may occur particularly in situations where the search
chains across multiple-servers.
Haripriya, et al. Expires July 9, 2007 [Page 10]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
o Dynamic membership assertions (compare operation) cannot be
optimized if recursive memberships are allowed. Without
recursion, comparisons can be made light-weight.
4.2.2. excludedMember
( <OID.TBD> NAME 'excludedMember' SUP distinguishedName )
This attribute is used to exclude entries from being a dynamic member
of a dynamic group. Thus an entry is a dynamic member of a dynamic
group if and only if it is selected by the member criteria specified
by the 'memberQueryURL' attribute or explicitly added to the member
or uniqueMember attribute, and it is not listed in the
'excludedMember' attribute.
4.3. member
( 2.5.4.31 NAME 'member' SUP distinguishedName )
Defined in [4], this attribute is overloaded when used in the context
of a dynamic group. It is used to explicitly specify static members
of a dynamic group. If the same entry is listed in both the 'member'
and 'excludedMember' attributes, the 'member' overrides the
'excludedMember', and the entry is considered to be a member of the
group. This attribute is also used to interrogate both the static
and dynamic member values of a dynamic group object. Subclasses of
this attribute are NOT considered in this manner.
4.4. uniqueMember
( 2.5.4.32 NAME 'uniqueMember' SUP distinguishedName )
Defined in [4], this attribute is overloaded when used in the context
of a dynamic group. It is used to specify the static members of a
dynamic group. If the same entry is listed in both the
'uniqueMember' and 'excludedMember' attributes, the 'uniqueMember'
overrides the 'excludedMember', and the entry is considered to be a
member of the group. This attribute is also used to interrogate both
the static and dynamic member values of a dynamic group object.
Subclasses of this attribute are NOT considered in this manner.
4.5. dgIdentity
( <OID.TBD> NAME 'identity' SUP distinguishedName SINGLE-VALUE )
In order to provide consistent results when processing the search
criteria, the server must use a single authorization identity. If
the authorization of the bound identity is used, the membership list
Haripriya, et al. Expires July 9, 2007 [Page 11]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
will vary, from identity to identity due to differing access
controls. This may either be done by the server authenticating as
the dgIdentity prior to performing a search or compare operation, or
may be done by simply assuming the authorization of the dgIdentity
when performing those operations. As server implementations vary, so
may the mechanisms to achieve consistent results through the use of
the dgIdentity. In the case that the server authenticates as the
dgIdentity, it may be required by the server that this identity have
proper authentication credentials, and it may be required that this
identity reside in the DIB of the local server.
In the absence of an identity value, or in case the identity value
cannot be used, the server will process the memberQueryURL as the
anonymous identity. This attribute MAY be supported, and represents
the identity the server will use for processing the memberQueryURL.
4.5.1. dgIdentity - Security implications
Because this attribute indirectly but effectively grants anyone with
read or compare access to the member or uniqueMember attribute
sufficient permission to gain a DN result set from the
memberQueryURL, server implementations SHOULD NOT allow this
attribute to be populated with the DN of any object that is not
administered by the identity making the change to this attribute.
For purposes of this document, to "administer an object" indicates
that the administrative identity has the ability to fully update the
access control mechanism in place the object in question. As of this
writing, there is no way to describe further what it means to be
fully able to administer the access control mechanism for an object,
so this definition is left as implementation-specific.
This requirement will allow an entity that has privileges to
administer a particular subtree (meaning that entity can add, delete,
and update objects in that subtree), to place in the dgIdentity DNs
of only those objects it administers.
Haripriya, et al. Expires July 9, 2007 [Page 12]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
5. Advertisement of support for dynamic groups
If the dynamic groups schema is not present on an LDAP server, it
MUST be assumed that the dynamic groups feature is not supported.
Haripriya, et al. Expires July 9, 2007 [Page 13]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
6. Dynamic Group Operations
6.1. Existing Operations
The following operations SHOULD expose the dynamic groups
functionality. These operations do not require any change in the
LDAP protocol to be exchanged between the client and server.
6.1.1. Access to resources in the directory
If access control items are set on a target resource object in the
directory, with the subject being a dynamic group object, then all
the members of the group object, including the dynamic members, will
get the same permissions on the target entry. This would be the most
useful application of dynamic groups as seen by an administrator
because it lets the server control access to resources based on
dynamic membership to a trustee (subject of ACI) of the resource.
The way to specify a dynamic ACL is currently implementation
specific, as there is no common ACL definition for LDAP, and hence
will be dealt with in a separate document or later (TO BE DONE).
6.1.2. Reading a dynamic group object
When the member attributes of a dynamic group object is listed by the
client using an LDAP search operation, the member values returned
SHOULD contain both the static and dynamic members of the group
object. This functionality will not require a change to the
protocol, and the clients need not be aware of dynamic groups to
exploit this functionality. This feature is useful for clients that
determine access privileges to a resource by themselves, by reading
the members of a group object. It will also be useful to
administrators who want to see the result of the query URL that they
set on the dynamic group entry. Note that this overloads the
semantics of the 'member' and 'uniqueMember' attributes. This could
lead to some surprises for the client .
for example: Clients that read the member attribute of a dynamic
group object and then attempt to remove values (which were dynamic)
could get an error specifying such a value was not there.
Example:
Let cn=dg1,o=myorg be a dynamic group object with the following
attributes stored in the directory.
Haripriya, et al. Expires July 9, 2007 [Page 14]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
member: cn=admin,o=myorg
excludedMember: cn=guest,ou=finance,o=myorg
excludedMember: cn=robin,ou=finance,o=myorg
memberQueryURL:
ldap:///ou=finance,o=myorg??sub?(objectclass=organizationalPerson)
If there are 5 organizationalPerson objects under ou=finance,o=myorg
with common names bob, alice, john, robin, and guest, then the output
of a base-scope LDAP search at cn=dg1,o=myorg, with the attribute
list containing 'member' will be as follows:
dn: cn=dg1,o=myorg
member: cn=admin,o=myorg
member: cn=bob,ou=finance,o=myorg
member: cn=alice,ou=finance,o=myorg
member: cn=john,ou=finance,o=myorg
6.1.3. 'Is Member Of' functionality
The LDAP compare operation allows one to discover whether a given DN
is in the membership list of a dynamic group. Again, the server
SHOULD produce consistent results among different authorization
identities when processing this request, as long as those identities
have the same access to the member or uniqueMember attribute. Using
the data from the example in Section 6.1.2, a compare on
cn=dg1,o=myorg, for the AVA member=cn=bob,ou=finance,o=myorg would
result in a response of compareTrue (assuming the bound identity was
authorized to compare the member attribute of cn=dg1,o=myorg).
Likewise, a search operation that contains an equalityMatch or
presence filter, naming the member or uniqueMember attribute as the
attribute (such as (member= cn=bob,ou=finance,o=myorg), or
(member=*)), will cause the server to evaluate this filter against
the rules given in Section 4.2.1.3 in the event that the search is
performed on a dynamic group object. As of this writing, no other
matching rules exist for the distinguished name syntax, thus no
requirements beyond equalityMatch are given here.
Haripriya, et al. Expires July 9, 2007 [Page 15]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
6.2. New Extensions
The following new extensions are added for dynamic group support.
6.2.1. Managing the static members of a dynamic group
Because a dynamic group overloads the semantics of the member and
uniqueMember attributes, a mechanism is needed to retrieve the static
values found in these attributes for management purposes. To serve
this need, a new attribute option is defined here called 'x-static'.
Attribute options are discussed in Section 2.5 of [2]. This option
SHALL only be specified with the 'member' or 'uniqueMember'
attribute. When the LDAP server does not understand the semantics of
this option on a given attribute, the option SHOULD be ignored. This
attribute option is only used to affect the transmitted values, and
does not impose sub-typing semantics on the attribute.
This option MAY be specified by a client during a search request in
the list of attributes to be returned, i.e. member;x-static. In this
case, the server SHALL only return those members of the dynamic group
that are statically listed as values of the member or uniqueMember
attribute. The evaluation process listed in Section 9 SHALL NOT be
used to populate the values to be returned.
This option MAY be specified is either an equalityMatch or presence
search filter. In this case, the server evaluates only the values
statically listed in the member or uniqueMember attribute, and does
not apply the evaluation process listed in Section 9.
This option MAY be specified in update operations such as add and
modify, but SHOULD be ignored, as its presence is semantically the
same as its non-presence.
Note to user: Performing a search to read a dynamic group, with a
filter item such as (member=*), and specifying member;x-static, may
result in a search result entry that has no member attribute. This
may seem counter-intuitive.
Haripriya, et al. Expires July 9, 2007 [Page 16]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
7. Performance Considerations
When the x-chain extension is present on the memberQueryURL, the
server MUST follow any search continuation references to other
servers while searching for dynamic members. This may be expensive
and slow in a true distributed environment. The dynamicGroup
implementation can consider a distributed caching feature to improve
the performance. An outline of such a distributed caching is given
below.
7.1. Caching of Dynamic Members
Since the dynamic members of a group are computed every time the
group is accessed, the performance could be affected. An
implementation of dynamic groups can get around this problem by
caching the computed members of a dynamic group locally and using the
cached data subsequently. One way to do this is to create pseudo-
objects for each dynamic group on every server that holds an object
that is a dynamic member of the group. With this, the computation of
the dynamic members of a group reduces to the task of reading the
pseudo-objects from each server. These pseudo-objects need to be
linked from the original dynamic group to speed up the member
computation. Also, since these are cached objects, appropriate
timeouts need to be associated with the cache after which the cache
should be invalidated or refreshed
Haripriya, et al. Expires July 9, 2007 [Page 17]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
8. Security Considerations
This document discusses the use of one object as the identity
(Section 4.5) with which to read information for another object. If
the creation of the dgIdentity attribute is uncontrolled, an intruder
could potentially create a dynamic group with the identity of, say,
the administrator, to be able to read the directory as the
administrator, and see information which would be otherwise
unavailable to him. Thus, a person adding an object as identity of a
dynamic group should have appropriate permissions on the object being
added as identity.
This document also discusses using dynamic memberships to provide
access for resources in a directory. As the dynamic members are not
created by the administrator, there could be surprises for the
administrator in the form of certain objects getting access to
certain resources through dynamic membership, which the administrator
never intended. So the administrator should be wary of such
problems. The administrator could view the memberships and make sure
that anybody who is not supposed to be a member of a group is added
to the excludedMember list.
Denial of service attacks can be launched on an LDAP server, by
repeatedly searching for a dynamic group with a large membership list
and listing the member attribute. A more effective form of denial of
service attack could be launched by making searches of the form
(member="somedn") at the top of tree and closing the client
connection as soon as the search starts. Some administrative limits
be imposed to avoid such situations.
The dynamic groups feature could be potentially misused by a user to
circumvent any administrative size-limit restriction placed on the
server. In order to search an LDAP server and obtain the names of
all the objects on the server irrespective of admin size-limit
restriction on the server, the LDAP user could create a dynamic group
with a memberQueryURL which matches all objects in the tree, and list
just that one object.
Haripriya, et al. Expires July 9, 2007 [Page 18]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
9. IANA Considerations
There are no IANA considerations.
Haripriya, et al. Expires July 9, 2007 [Page 19]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
10. Conclusions
This document discusses the syntax, semantics and usage of dynamic
groups in LDAPv3.
Haripriya, et al. Expires July 9, 2007 [Page 20]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
11. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP):
Directory Information Models", RFC 4512, June 2006.
[3] Smith, M. and T. Howes, "Lightweight Directory Access Protocol
(LDAP): Uniform Resource Locator", RFC 4516, June 2006.
[4] Sciberras, A., "Lightweight Directory Access Protocol (LDAP):
Schema for User Applications", RFC 4519, June 2006.
Haripriya, et al. Expires July 9, 2007 [Page 21]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
Appendix A. Example Values for memberQueryURL
1. This memberQueryURL value specifies the membership criteria for a
dynamic group entry as "all inetorgperson entries that also have
their title attribute set to 'manager', and are in the DIT-wide
subtree under ou=hr,o=myorg ".
memberQueryURL: ldap:///
ou=hr,o=myorg??sub?(&
(objectclass=inetorgperson)(title=manager))? x-chain
2. This value lets the user specify the membership criteria for a
dynamic group entry as "all entries on the local server, that
either have unix accounts or belong to the unix department, and
are under the engineering container ".
memberQueryURL: ldap:///ou=eng,o=myorg??sub?
(|(objectclass=posixaccount)(department=unix))
3. These values let the user specify the membership criteria as "all
inetorgperson entries on the local server, in either the
ou=eng,o=myorg or ou=support,o=myorg" subtrees.
memberQueryURL:
ldap:///ou=eng,o=myorg??sub?(objectclass=inetorgperson)
memberQueryURL:
ldap:///ou=support,o=myorg??sub?(objectclass=inetorgperson)
Haripriya, et al. Expires July 9, 2007 [Page 22]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
Appendix B. Acknowledgments
Funding for the RFC Editor function is currently provided by the
Internet Society.
Haripriya, et al. Expires July 9, 2007 [Page 23]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
Authors' Addresses
Haripriya S
Novell, Inc.
49/1 & 49/3 Garvebhavi Palya,
7th Mile, Hosur Road
Bangalore, Karnataka 560068
India
Email: sharipriya@novell.com
Jaimon Jose (editor)
Novell, Inc.
49/1 & 49/3 Garvebhavi Palya,
7th Mile, Hosur Road
Bangalore, Karnataka 560068
India
Email: jjaimon@novell.com
Jim Sermersheim
Novell, Inc.
1800 South Novell Place
Provo, Utah 84606
US
Email: jimse@novell.com
Haripriya, et al. Expires July 9, 2007 [Page 24]
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
Full Copyright Statement
Copyright (C) The Internet Society (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Haripriya, et al. Expires July 9, 2007 [Page 25]
Reference in New Issue View Git Blame Copy Permalink